CVE-2024-34342 - Vulnerability Details - OpenCVE

react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.05029.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
https://github.com/mozilla/pdf.js/pull/18015
https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe
https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad
https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-07T14:29:06.599Z

Updated: 2024-08-02T02:51:10.948Z

Reserved: 2024-05-02T06:36:32.436Z

Link: CVE-2024-34342

Vulnrichment

Updated: 2024-08-02T02:51:10.948Z

NVD

Status : Deferred

Published: 2024-05-07T15:15:09.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-34342

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34342", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-02T06:36:32.436Z", "datePublished": "2024-05-07T14:29:06.599Z", "dateUpdated": "2024-08-02T02:51:10.948Z"}, "containers": {"cna": {"title": "react-pdf's PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4"}, {"name": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq", "tags": ["x_refsource_MISC"], "url": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq"}, {"name": "https://github.com/mozilla/pdf.js/pull/18015", "tags": ["x_refsource_MISC"], "url": "https://github.com/mozilla/pdf.js/pull/18015"}, {"name": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6", "tags": ["x_refsource_MISC"], "url": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6"}, {"name": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe", "tags": ["x_refsource_MISC"], "url": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe"}, {"name": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad", "tags": ["x_refsource_MISC"], "url": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad"}], "affected": [{"vendor": "wojtekmaj", "product": "react-pdf", "versions": [{"version": "< 7.7.3", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T14:29:06.599Z"}, "descriptions": [{"lang": "en", "value": "react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2."}], "source": {"advisory": "GHSA-87hq-q4gp-9wr4", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34342", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-07T18:55:02.356516Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pdf.js_viewer_project:pdf.js_viewer:*:*:*:*:*:wordpress:*:*"], "vendor": "pdf.js_viewer_project", "product": "pdf.js_viewer", "versions": [{"status": "affected", "version": "< 7.7.3, \t>= 8.0.0, < 8.0.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:26.586Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:10.948Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4"}, {"name": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq"}, {"name": "https://github.com/mozilla/pdf.js/pull/18015", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mozilla/pdf.js/pull/18015"}, {"name": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6"}, {"name": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe"}, {"name": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4", "name": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq", "name": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mozilla/pdf.js/pull/18015", "name": "https://github.com/mozilla/pdf.js/pull/18015", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6", "name": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe", "name": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad", "name": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:10.948Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34342", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-07T18:55:02.356516Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pdf.js_viewer_project:pdf.js_viewer:*:*:*:*:*:wordpress:*:*"], "vendor": "pdf.js_viewer_project", "product": "pdf.js_viewer", "versions": [{"status": "affected", "version": "< 7.7.3, \t>= 8.0.0, < 8.0.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T18:54:14.086Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "react-pdf's PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF", "source": {"advisory": "GHSA-87hq-q4gp-9wr4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "wojtekmaj", "product": "react-pdf", "versions": [{"status": "affected", "version": "< 7.7.3"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.2"}]}], "references": [{"url": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4", "name": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq", "name": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mozilla/pdf.js/pull/18015", "name": "https://github.com/mozilla/pdf.js/pull/18015", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6", "name": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe", "name": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad", "name": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T14:29:06.599Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34342", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:51:10.948Z", "dateReserved": "2024-05-02T06:36:32.436Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-07T14:29:06.599Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2."}, {"lang": "es", "value": "react-pdf muestra archivos PDF en aplicaciones React. Si se utiliza PDF.js para cargar un PDF malicioso y PDF.js est\u00e1 configurado con `isEvalSupported` establecido en `true` (que es el valor predeterminado), se ejecutar\u00e1 JavaScript sin restricciones controlado por el atacante en el contexto del dominio de alojamiento. Esta vulnerabilidad se solucion\u00f3 en 7.7.3 y 8.0.2."}], "id": "CVE-2024-34342", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-07T15:15:09.730", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6"}, {"source": "security-advisories@github.com", "url": "https://github.com/mozilla/pdf.js/pull/18015"}, {"source": "security-advisories@github.com", "url": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq"}, {"source": "security-advisories@github.com", "url": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe"}, {"source": "security-advisories@github.com", "url": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad"}, {"source": "security-advisories@github.com", "url": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/mozilla/pdf.js/pull/18015"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}