Skip to main content

PDF.js CVE-2024-4367

HIGH
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2024-05-14 security@mozilla.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 npm packages depend on pdfjs-dist (23 direct, 28 indirect)

Ecosystem-wide dependent count for version 4.2.67.

DescriptionCVE.org

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

AnalysisAI

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Thunderbird before 115.11 when rendering a malicious PDF document. A missing type check in font handling lets a crafted PDF run JavaScript in the PDF.js context, and publicly available exploit code exists with an EPSS of 34.61% (97th percentile) indicating elevated exploitation likelihood.

Technical ContextAI

PDF.js is Mozilla's JavaScript-based PDF rendering engine embedded in Firefox, Thunderbird, and numerous downstream applications such as Open-Xchange AppSuite Frontend that bundle the library for inline document preview. The root cause aligns with CWE-754 (Improper Check for Unusual or Exceptional Conditions): the font-handling code path failed to validate an object's type before treating it as a callable, allowing an attacker-supplied function to be invoked during font processing. Because PDF.js runs as privileged JavaScript inside the browser/mail-client context, this primitive translates into script execution with access to the same origin and APIs as the PDF.js viewer page.

RemediationAI

Vendor-released patches are available: upgrade to Firefox 126 or later, Firefox ESR 115.11 or later, and Thunderbird 115.11 or later per Mozilla's advisories (mozilla.org/security/advisories/mfsa2024-21, mfsa2024-25, mfsa2024-26). Debian users should apply the corresponding DSA-package updates, and Open-Xchange AppSuite Frontend operators should upgrade beyond 7.10.6 revision13 using the Open-Xchange security advisory. Where immediate patching is infeasible, mitigate by disabling the in-browser PDF viewer (set pdfjs.disabled=true in about:config for Firefox, or configure mail clients to not auto-render PDF attachments) and routing PDFs to an external sandboxed viewer - the trade-off is loss of inline preview convenience and possible workflow disruption for users who rely on the embedded viewer.

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2016-1960 HIGH POC
8.8 Mar 13

Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox

CVE-2015-0816 MEDIUM POC
5.0 Apr 01

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource

CVE-2015-0802 MEDIUM POC
5.0 Apr 01

Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl

CVE-2013-2566 MEDIUM POC
5.9 Mar 15

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for

Share

CVE-2024-4367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy