← Back
CVE-2024-4367
high
CVSS 8.8
Vulnerability in pdfjs-dist (CVE-2024-4367)
Summary
vulnerability in pdfjs-dist (CVE-2024-4367). Successful exploitation can lead to full system takeover. Exploitable via ``isEvalSupported``. Mitigation: upgrade to `4.2.67` or later.
AI summary snake-internal / snake-material-v2
A vulnerability tracked as **CVE-2024-4367** has been found in pdfjs-dist.
Attackers can target a specific entry point like ``isEvalSupported`` over the network to misuse the product.
Successful exploitation can lead to full system takeover. CVSS score: 8.8/10.
What to do: upgrade pdfjs-dist to **4.2.67** or later.
If unsure, ask your IT team or search "pdfjs-dist CVE-2024-4367" on the vendor's site.
CVE-2024-4367 (pdfjs-dist) — CWE-754 / CVSS v3 8.8
Attack vector: remote (network-reachable) / unauthenticated
Attack surface: `isEvalSupported` / `true` / `eval` / `false`
Patched: `4.2.67` — apply immediately
Workaround: Set the option `isEvalSupported` to `false`.
Plan: 1) Audit SBOM/dependencies, 2) Stage→prod upgrade, 3) Add WAF/proxy monitoring on affected endpoints, 4) Hunt IOCs in logs.
Refs: see the GHSA / vendor advisory / patched release linked on this page.
❓ What is the problem
**A vulnerability** (CWE-754) exists in pdfjs-dist. Attackers reach the vulnerable code path via ``isEvalSupported`` without authentication.
📍 Affected scope
pdfjs-dist — . Attack surface: `isEvalSupported` / `true` / `eval` / `false`.
🔥 Severity
Severity: High (CVSS 8.8/10). Successful exploitation can lead to full system takeover
🔧 How to fix
Update to **4.2.67**.
🛡️ Workaround
Workaround: Set the option `isEvalSupported` to `false`.
🔍 Detection
Search webserver/proxy logs for unusual request patterns matching this CVE's known IOCs. Run `grep -r 'pdfjs-dist' .` against your dependency files (package-lock.json, requirements.txt, go.sum) to find affected services.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'pdfjs-dist' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `pdfjs-dist` を grep し、稼働しているサービス・バージョンを把握する。
-
5Apply temporary workaround mitigate
Set the option `isEvalSupported` to `false`.パッチが適用されるまでの応急処置として、Set the option `isEvalSupported` to `false`. を実施。回避策の副作用 (機能低下) を確認した上で。
-
6Apply patch patch
Upgrade pdfjs-dist to 4.2.67ステージング環境で 4.2.67 に上げて回帰テスト → 本番反映。回帰テストはアプリの主要ハッピーパスと、Step 3 で見つけた異常検知の続報チェックを含めること。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
Affected packages
npm
pdfjs-dist
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.2.67"}]}]
References
- patch af854a3a-2127-422b-91ae-364da2661108
- patch af854a3a-2127-422b-91ae-364da2661108
- patch af854a3a-2127-422b-91ae-364da2661108
- web https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
- web https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
- web https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
- web http://seclists.org/fulldisclosure/2024/Aug/30
- web af854a3a-2127-422b-91ae-364da2661108
- web https://github.com/gogs/gogs/issues/7928
- web https://github.com/mozilla/pdf.js/releases/tag/v4.2.67
- web https://www.exploit-db.com/exploits/52273
- web https://cert-portal.siemens.com/productcert/html/ssa-827383.html
- web https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
- web https://github.com/mozilla/pdf.js/pull/18015
- web https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
- web https://nvd.nist.gov/vuln/detail/CVE-2024-4367
- web https://www.mozilla.org/security/advisories/mfsa2024-21
- web https://www.mozilla.org/security/advisories/mfsa2024-22
- web https://www.mozilla.org/security/advisories/mfsa2024-23
- web https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js
- web https://github.com/advisories/GHSA-wgrm-67xf-hhpq