CVE-2024-34342

Source
https://cve.org/CVERecord?id=CVE-2024-34342
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34342.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-34342
Aliases
Downstream
Related
Published
2024-05-07T14:29:06.599Z
Modified
2026-07-15T01:49:13.206557811Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
react-pdf's PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Details

react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34342.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mozilla/pdf.js

Affected ranges

Type
GIT
Repo
https://github.com/mozilla/pdf.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}
Type
GIT
Repo
https://github.com/wojtekmaj/react-pdf
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.7.3"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0.277
milestone-0.*
milestone-0.2
v0.*
v0.1.0
v0.3.459
v0.4.11
v0.5.5
v0.8.1181
v0.8.1334
v1.*
v1.0.1040
v1.0.1149
v1.0.2
v1.0.21
v1.0.277
v1.0.403
v1.0.473
v1.0.68
v1.0.712
v1.0.907
v1.1.1
v1.1.114
v1.1.215
v1.1.3
v1.1.366
v1.1.469
v1.10.88
v1.2.109
v1.3.88
v1.4.11
v1.4.20
v1.5.188
v1.6.210
v1.7.0
v1.7.225
v1.8.0
v1.8.1
v1.8.170
v1.8.188
v1.8.2
v1.8.3
v1.9.426
v1.x
v2.*
v2.0.0
v2.0.0-beta.5
v2.0.943
v2.1.0
v2.1.1
v2.1.2
v2.1.266
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.10.377
v2.11.338
v2.12.313
v2.13.216
v2.14.305
v2.15.349
v2.16.105
v2.2.0
v2.2.0-beta
v2.2.0-beta.2
v2.2.0-beta.3
v2.2.228
v2.3.0
v2.3.200
v2.4.0
v2.4.1
v2.4.2
v2.4.456
v2.5.0
v2.5.1
v2.5.2
v2.5.207
v2.6.347
v2.7.570
v2.8.335
v2.9.359
v3.*
v3.0.0
v3.0.0-alpha
v3.0.0-alpha.2
v3.0.0-alpha.3
v3.0.0-alpha.4
v3.0.0-beta
v3.0.1
v3.0.2
v3.0.279
v3.0.3
v3.0.4
v3.1.81
v3.10.111
v3.11.174
v3.2.146
v3.3.122
v3.4.120
v3.5.141
v3.6.172
v3.7.107
v3.8.162
v3.9.179
v4.*
v4.0.0
v4.0.0-beta
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-beta.5
v4.0.0-beta.6
v4.0.1
v4.0.189
v4.0.2
v4.0.269
v4.0.3
v4.0.379
v4.0.4
v4.0.5
v4.1.0
v4.1.392
v4.2.0
v4.x
v5.*
v5.0.0
v5.0.0-beta
v5.0.0-beta.2
v5.0.0-beta.3
v5.0.0-beta.4
v5.0.0-beta.5
v5.1.0
v5.1.0-beta
v5.2.0
v5.3.0
v5.3.1
v5.3.2
v5.4.0
v5.4.1
v5.5.0
v5.6.0
v5.7.0
v5.7.1
v5.7.2
v5.x
v6.*
v6.0.0
v6.0.0-beta
v6.0.0-beta.2
v6.0.0-beta.3
v6.0.0-beta.4
v6.0.0-beta.5
v6.0.0-beta.6
v6.0.1
v6.0.2
v6.0.3
v6.1.0
v6.1.1
v6.2.0
v6.2.1
v6.2.2
v6.x
v7.*
v7.0.0
v7.0.0-beta
v7.0.0-beta.2
v7.0.0-beta.3
v7.0.0-beta.4
v7.0.1
v7.0.2
v7.0.3
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.2.0
v7.3.0
v7.3.1
v7.3.2
v7.3.3
v7.4.0
v7.5.0
v7.5.1
v7.6.0
v7.7.0
v7.7.1
v7.7.2
v7.x
v8.*
v8.0.0
v8.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34342.json"