PDF.js CVE-2024-4367
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Blast Radius
ecosystem impact- 50 npm packages depend on pdfjs-dist (23 direct, 28 indirect)
Ecosystem-wide dependent count for version 4.2.67.
DescriptionCVE.org
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
AnalysisAI
Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Thunderbird before 115.11 when rendering a malicious PDF document. A missing type check in font handling lets a crafted PDF run JavaScript in the PDF.js context, and publicly available exploit code exists with an EPSS of 34.61% (97th percentile) indicating elevated exploitation likelihood.
Technical ContextAI
PDF.js is Mozilla's JavaScript-based PDF rendering engine embedded in Firefox, Thunderbird, and numerous downstream applications such as Open-Xchange AppSuite Frontend that bundle the library for inline document preview. The root cause aligns with CWE-754 (Improper Check for Unusual or Exceptional Conditions): the font-handling code path failed to validate an object's type before treating it as a callable, allowing an attacker-supplied function to be invoked during font processing. Because PDF.js runs as privileged JavaScript inside the browser/mail-client context, this primitive translates into script execution with access to the same origin and APIs as the PDF.js viewer page.
RemediationAI
Vendor-released patches are available: upgrade to Firefox 126 or later, Firefox ESR 115.11 or later, and Thunderbird 115.11 or later per Mozilla's advisories (mozilla.org/security/advisories/mfsa2024-21, mfsa2024-25, mfsa2024-26). Debian users should apply the corresponding DSA-package updates, and Open-Xchange AppSuite Frontend operators should upgrade beyond 7.10.6 revision13 using the Open-Xchange security advisory. Where immediate patching is infeasible, mitigate by disabling the in-browser PDF viewer (set pdfjs.disabled=true in about:config for Firefox, or configure mail clients to not auto-render PDF attachments) and routing PDFs to an external sandboxed viewer - the trade-off is loss of inline preview convenience and possible workflow disruption for users who rely on the embedded viewer.
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo
Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today