CVE-2024-4367
Arbitrary Code Execution vulnerability in pdfjs-dist (npm)
What is CVE-2024-4367 About?
This vulnerability in pdf.js allows for unrestricted attacker-controlled JavaScript execution when loading a malicious PDF, provided `isEvalSupported` is set to `true`. This can lead to significant compromise of the hosting domain. Exploitation is easy by crafting a malicious PDF.
Affected Software
Technical Details
The vulnerability arises when pdf.js is configured with isEvalSupported set to true (which is the default behavior). This setting permits the PDF renderer to execute JavaScript embedded within a PDF document using eval(). A malicious actor can craft a PDF file containing arbitrary JavaScript code. When this malicious PDF is loaded and rendered by pdf.js, the embedded JavaScript code is executed. Since eval() is used, the JavaScript is executed directly in the context of the hosting domain, granting the attacker full control over the client-side environment, including access to cookies, local storage, and the ability to make arbitrary requests.
What is the Impact of CVE-2024-4367?
Successful exploitation may allow attackers to execute arbitrary JavaScript code in the context of the hosting domain, leading to session hijacking, data theft, defacement, or other client-side attacks.
What is the Exploitability of CVE-2024-4367?
Exploitation is low in complexity. No authentication or specific privileges are required; an attacker only needs to entice a user to open a malicious PDF file with the vulnerable pdf.js configuration. It is a remote vulnerability, as the malicious PDF can be delivered via various channels (e.g., email, compromised websites). The critical prerequisite is that isEvalSupported is enabled, which is the default setting. The likelihood of exploitation is significantly increased due to the common practice of opening PDF files and the default unsafe configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| LOURC0D3 | Link | CVE-2024-4367 & CVE-2024-34342 Proof of Concept |
| s4vvysec | Link | CVE-2024-4367 arbitrary js execution in pdf js |
| spaceraccoon | Link | YARA detection rule for CVE-2024-4367 arbitrary javascript execution in PDF.js |
What are the Available Fixes for CVE-2024-4367?
About the Fix from Resolved Security
The patch stops using eval and dynamic Function construction for font glyph rendering, instead using a pre-defined set of safe command objects and direct function calls to manipulate drawing contexts. This mitigates CVE-2024-4367 by preventing attacker-controlled fonts from injecting and executing arbitrary JavaScript code, eliminating a route for remote code execution through untrusted PDF font data.
Available Upgrade Options
- pdfjs-dist
- <4.2.67 → Upgrade to 4.2.67
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mozilla/pdf.js/releases/tag/v4.2.67
- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
- https://osv.dev/vulnerability/GHSA-wgrm-67xf-hhpq
- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
- https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js
- https://github.com/gogs/gogs/issues/7928
- http://seclists.org/fulldisclosure/2024/Aug/30
- https://www.mozilla.org/security/advisories/mfsa2024-23
- https://github.com/gogs/gogs/issues/7928
- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
What are Similar Vulnerabilities to CVE-2024-4367?
Similar Vulnerabilities: CVE-2023-47120 , CVE-2022-42900 , CVE-2021-3642 , CVE-2020-13936 , CVE-2019-17013
