Security Flaw in PDF.js and React-PDF Puts Millions at Risk

A critical security vulnerability has been uncovered in two widely used PDF libraries, PDF.js and React-PDF, potentially exposing millions of users to malicious JavaScript code execution.

The flaws, identified as CVE-2024-4367 in PDF.js and CVE-2024-34342 in React-PDF, stem from the improper handling of JavaScript within PDF files.

PDF.js, a popular open-source PDF viewer supported by Mozilla, is used extensively across the web, with over 46,000 stars on GitHub and nearly 2 million weekly downloads from npm.

Similarly, React-PDF, a library for rendering PDFs in React applications, sees over 600,000 downloads per week. The widespread adoption of these libraries amplifies the potential impact of the discovered vulnerabilities.

The flaws were identified by security researcher Thomas Rinsma, who found that when PDF.js or React-PDF loads a malicious PDF file with the isEvalSupported setting enabled (which is true by default), it can lead to the execution of unrestricted JavaScript code within the context of the hosting domain.

This opens the door for attackers to steal sensitive user data, such as cookies and session tokens, or even perform actions on behalf of the unsuspecting user.

Versions of PDF.js up to 4.1.392 and React-PDF versions up to 7.7.2 and from 8.0.0 to 8.0.1 are affected by these vulnerabilities.

Users are strongly advised to update to the patched versions - 4.2.67 for PDF.js and 7.7.3 or 8.0.2 for React-PDF - which address the issue by removing the use of the JavaScript eval function, a known security risk.

For those unable to update immediately, a temporary workaround involves setting "isEvalSupported" to false.

In PDF.js, this is a global configuration, while in React-PDF, it must be specified within the "options" prop of the "Document" component. Disabling "eval" prevents the execution of malicious scripts embedded in PDF files.