Arbitrary JavaScript execution in PDF.js (write-up)

hack web CVE-2024-4367 CVE-2024-34342

I found a way to execute Javascript inside PDF.js from within an untrusted PDF. Real Javascript, not the sandboxed PDF version :)

This had heavy consequences for many platforms rendering user-uploaded PDFs, lots of which use PDF.js, directly or indirectly (e.g. through react-pdf). Firefox itself was also vulnerable.

Read the write-up on Codean Labs’ blog:
https://codeanlabs.com/2024/05/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

This bug gained quite some attention in the bug bounty crowd, and ended up being voted nr. 7 in Portswigger’s top 10 web hacking techniques 2024.