react-pdf-viewer icon indicating copy to clipboard operation
react-pdf-viewer copied to clipboard
verified publisher icon react-pdf-viewer

pdfjs has a security vulnerability under version 3.2.146. Can it be upgraded to 4.2.67 or higher?

Open ava-zhang1 opened this issue 1 year ago • 6 comments

Affected versions of this package are vulnerable to Arbitrary Code Injection in font_loader.js, which passes input to the eval() function when the default isEvalSupported option is in use. An attacker can execute code by convincing a user to open a malicious PDF file.

ava-zhang1 avatar Dec 26 '24 10:12 ava-zhang1

We are also getting same below , could you please fix asap and we bought license too

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Evidence Vulnerable Package pdfjs-dist:3.11.174

Solution: Upgrade to version 4.2.67 or above.

godehk avatar Jan 08 '25 21:01 godehk

We are also getting same below , could you please fix asap and we bought license too

I agree, any updates?

alessiofnes avatar Jan 21 '25 11:01 alessiofnes

Agreed, We need update on this, it is obviously impacting multiple customers.

joebaileyrsm avatar Jan 23 '25 15:01 joebaileyrsm

I also encountered the same problem and hope to upgrade and update

liangskyli avatar Apr 05 '25 11:04 liangskyli

I have same issue any timeline to update this package as we are stuck on this.

shaangidwani avatar Apr 10 '25 12:04 shaangidwani

You can pass this to your Viewer component to disable JS in PDF transformGetDocumentParams={(params) => ({ ...params, isEvalSupported: false })}

olhapi avatar Apr 14 '25 11:04 olhapi