Note on pdfjs-dist security vulnerability

[wojtekmaj]

Important

• Update to 9.0.0 or later if you can
• Update to 7.7.3, 8.0.2 if you can't - then you're safe, even though automated security audits may still fail (longer explanation below).

What happened?

GHSA-wgrm-67xf-hhpq security advisory has been published in pdfjs-dist, a key dependency of ours, noting the use of eval, potentially allowing malicious PDF files to execute unrestricted attacker-controlled JavaScript in the context of the hosting domain.

Important: this vulnerability is only exploitable when isEvalSupported option is set to true (default).

How we addressed the vulnerability in React-PDF?

• isEvalSupported option is now forcefully being set to false, completely removing the attack vector. This patch has been released in versions 7.7.3 and 8.0.2.
• PDF.js has been updated to a fully non-vulnerable version in version 9.0.0.

Security audit still fail! What can I do?

• 😴 GHSA-wgrm-67xf-hhpq (CVE-2024-4367) can be safely dismissed/ignored. This security advisory means you're (indirectly) using pdfjs-dist that's potentially exploitable. This is expected if you're using React-PDF version older than 9.0.0.
• ⚠️ GHSA-87hq-q4gp-9wr4 (CVE-2024-34342) should not be ignored. This security advisory means you're using React-PDF version that is still missing the patch making pdfjs-dist vulnerability not exploitable.

Why didn't you just update pdfjs-dist to the latest version immediately?

It was the long term plan, but it was too early to leave v7/v8 users behind. Updating pdfjs-dist to the latest version was be a breaking change. This meant leaving v7 and v8 users behind. A quick, non-breaking patch release was, I believe, welcome by most.

Furthermore, pdfjs-dist versions earlier than 4.3.136 included changes that would break many setups, even the most modern ones.

[Scc33]

Thanks for the great detail!

[Ryanv030]

Appreciate the detail laid out here. However this puts us in an awkward spot. I don't want to turn off my pre-commit hook that checks for security vulnerabilities and if I keep the pre-commit hook on this will keep failing until pdfjs-dist is updated to version 4.2.67.

Is there a timetable for the longterm plan or would you recommend looking for new solutions outside of react-pdf?

[stevelizcano]

Just got merged!

[Hcrab2336]

For anyone else running into the npm audit issue, our devops team decided to run the npm audit step in a powershell script and grep for the exact output that pdfjs-dist gives when it fails alone and exit code 0 or 1 accordingly. It's not ideal but it's a temporary fix that keeps us running while still checking for vulnerabilities. I don't really know the specifics but hopefully this helps others until the fix is fully implemented.

[Ryanv030]

Appreciate the update @wojtekmaj!

[wojtekmaj]

@Ryanv030 @mattmogford-alcumus @stevelizcano @Hcrab2336 Good news! v9.0.0 is released and vulnerability is now fully fixed.

[Ryanv030]

Thank you @wojtekmaj!

[shye0000]

Thx for this announcement, it really clears things up for my team! We use this package and the date picker too, they kill perfectly our pain points of UI developement, well maintained with great communications! Hope for the best of this security issue!

[wojtekmaj]

@shye0000 Good news! v9.0.0 is released and vulnerability is now fully fixed.

[shye0000]

@wojtekmaj Super good news! Thank you so much!

[cpernsteineribm]

Finally mozilla/pdf.js#18051 got released https://github.com/mozilla/pdf.js/releases/tag/v4.3.136 🚀

[wojtekmaj]

@cpernsteineribm v9.0.0 is released and includes pdfjs-dist 4.3.136. :)

[TobiTenno]

migrating to v9 for the security fix is a pretty heavy lift if you're not already on esm builds. any chance to port just the security fix back to v8 so we can get the fix and update to ESM in our own time?

[wojtekmaj]

There's absolutely no way. We have:
v7 & 8: vulnerable, CJS-based PDF.js 3 + vulnerability mitigation (100% safe)
v9: non-vulnerable, ESM-based PDF.js 4, no mitigation necessary

[TobiTenno]

I see. Apologies for the extra noise.