PoC Released for JavaScript execution Vulnerability in PDF.js

A critical vulnerability, CVE-2024-4367, has been discovered in PDF.js, a widely used JavaScript-based PDF viewer maintained by Mozilla.

The issue affects all Firefox users with versions below 126 and numerous web and Electron-based applications that utilize PDF.js for PDF preview functionality.

PDF.js is integrated into Firefox as its built-in PDF viewer and is also available as a Node module called pdfjs-dist, which has approximately 2.7 million weekly downloads on NPM.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Codean Labs found this vulnerability, allowing attackers to execute arbitrary JavaScript code when a malicious PDF file is opened.

 Various websites use this module to provide embedded PDF preview functionality, making the impact of this vulnerability far-reaching.

PDF.js Vulnerability
PDF.js Vulnerability

CVE-2024-4367 – Technical Details and Exploitation

The vulnerability stems from an oversight in the font rendering code of PDF.js.

Specifically, it involves pre-computing a path generator function for every glyph using a JavaScript Function object.

If an attacker can control the commands (cmds) going into the Function body, they can insert and execute arbitrary code.

Here is a snippet of the vulnerable code:

// If we can, compile cmds into JS for MAXIMUM SPEED...

if (this.isEvalSupported && FeatureTest.isEvalSupported) {

  const jsBuf = [];

  for (const current of cmds) {

    const args = current.args !== undefined ? current. args.join(","): "";

    jsBuf.push("c.", current.cmd, "(", args, ");\n");


  // eslint-disable-next-line no-new-func


  return (this.compiledGlyphs[character] = new Function(






The vulnerability is triggered by manipulating the fontMatrix array, which can be specified in the PDF metadata.

An attacker can break the JavaScript syntax and execute arbitrary code by inserting a string value into this array.

For example, the following FontMatrix definition can trigger an alert:

/FontMatrix [1 2 3 4 5 (0\); alert\('foobar')]

To mitigate this vulnerability, it is recommended that PDF.js be updated to version 4.2.67 or higher.

Most wrapper libraries, such as react-pdf, have also released patched versions.

Developers should recursively check their node_modules folder for files named pdf.js to ensure they are not using a vulnerable version.

Additionally, setting the PDF.js setting isEvalSupported to false can disable the vulnerable code path.

Implementing a strict content-security policy that disables the use of eval and the Function constructor can also prevent the vulnerability from being exploited.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.