What is the CVSS score of CVE-2024-4367?

CVE-2024-4367 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 34.6%.

Which versions of PDF.js are affected by CVE-2024-4367?

Firefox, Firefox ESR, and Thunderbird browsers are vulnerable to arbitrary JavaScript execution when users open crafted PDF documents, enabling attackers to potentially steal credentials, access…. A patch is available.

Is there a public PoC exploit available for CVE-2024-4367?

Yes, a public proof-of-concept exploit is available for CVE-2024-4367. Prioritise patching immediately. EPSS: 34.6%.

How to fix or mitigate CVE-2024-4367?

Within 24 hours: Identify all systems running Firefox (pre-126), Firefox ESR (pre-115.11), and Thunderbird (pre-115.11). Within 7 days: Deploy patches to Firefox 126+, Firefox ESR 115.11+, and Thunderbird 115.11+ across all affected endpoints. Within 30 days: Confirm patch deployment through inventory systems and monitor security logs for exploitation attempts.

PDF.js CVE-2024-4367

HIGH

Improper Check for Unusual or Exceptional Conditions (CWE-754)

2024-05-14 security@mozilla.org

Information Disclosure Mozilla Debian Linux Firefox Thunderbird Open Xchange Appsuite Frontend

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

49 npm packages depend on pdfjs-dist (23 direct, 27 indirect)

Ecosystem-wide dependent count for version 4.2.67.

DescriptionNVD

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

AnalysisAI

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Thunderbird before 115.11 when rendering a malicious PDF document. A missing type check in font handling lets a crafted PDF run JavaScript in the PDF.js context, and publicly available exploit code exists with an EPSS of 34.61% (97th percentile) indicating elevated exploitation likelihood.

Technical ContextAI

PDF.js is Mozilla's JavaScript-based PDF rendering engine embedded in Firefox, Thunderbird, and numerous downstream applications such as Open-Xchange AppSuite Frontend that bundle the library for inline document preview. The root cause aligns with CWE-754 (Improper Check for Unusual or Exceptional Conditions): the font-handling code path failed to validate an object's type before treating it as a callable, allowing an attacker-supplied function to be invoked during font processing. Because PDF.js runs as privileged JavaScript inside the browser/mail-client context, this primitive translates into script execution with access to the same origin and APIs as the PDF.js viewer page.

RemediationAI

Vendor-released patches are available: upgrade to Firefox 126 or later, Firefox ESR 115.11 or later, and Thunderbird 115.11 or later per Mozilla's advisories (mozilla.org/security/advisories/mfsa2024-21, mfsa2024-25, mfsa2024-26). Debian users should apply the corresponding DSA-package updates, and Open-Xchange AppSuite Frontend operators should upgrade beyond 7.10.6 revision13 using the Open-Xchange security advisory. Where immediate patching is infeasible, mitigate by disabling the in-browser PDF viewer (set pdfjs.disabled=true in about:config for Firefox, or configure mail clients to not auto-render PDF attachments) and routing PDFs to an external sandboxed viewer - the trade-off is loss of inline preview convenience and possible workflow disruption for users who rely on the embedded viewer.