Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-wgrm-67xf-hhpq

HIGH

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Also known asCVE-2024-4367
Published
May 7, 2024
Updated
May 13, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
16 known

EPSS Exploitation Probability

via FIRST.org ↗
72.6%probability of exploitation in next 30 days
Very High Risk99th percentile+34.31%
14.6%38.4%62.2%86.0%29.0%72.6%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
📦pdfjs-dist

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval: https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmpdfjs-distall versions4.2.67
Exploits & PoCs
16

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

EDB-52273remotemultiple

Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

by Milad karimi · Apr 22, 2025

Exploit-DB Source

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pdfjs-dist. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update pdfjs-dist to 4.2.67 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wgrm-67xf-hhpq is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-wgrm-67xf-hhpq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-wgrm-67xf-hhpq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
O3 Security · Impact-Aware SCA

Is GHSA-wgrm-67xf-hhpq in your dependencies?

O3 detects GHSA-wgrm-67xf-hhpq across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works
GHSA-wgrm-67xf-hhpq: pdfjs-dist (High 8.8) | O3 Security