CVE-2024-34342 Overview
CVE-2024-34342 is a Cross-Site Scripting (XSS) vulnerability affecting react-pdf, a popular library used to display PDFs in React applications. When PDF.js is used to load a malicious PDF document and the isEvalSupported configuration option is set to true (which is the default value), an attacker can execute unrestricted JavaScript code in the context of the hosting domain. This vulnerability represents a significant security risk for web applications that allow user-uploaded or externally-sourced PDF files.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, data theft, or complete account takeover on affected applications.
Affected Products
- react-pdf versions prior to 7.7.3
- react-pdf versions 8.x prior to 8.0.2
- Applications using PDF.js with isEvalSupported set to true (default)
Discovery Timeline
- 2024-05-07 - CVE-2024-34342 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-34342
Vulnerability Analysis
This vulnerability stems from the way PDF.js handles JavaScript execution within PDF documents. The isEvalSupported configuration option, when set to true, allows the PDF.js library to use JavaScript's eval() function for performance optimization when rendering certain PDF features. However, this creates a dangerous attack surface where malicious JavaScript embedded within a crafted PDF document can be executed with the same privileges as the hosting web application.
The vulnerability is classified as CWE-79 (Cross-Site Scripting), as it allows attackers to inject and execute malicious scripts in the context of a trusted web application. The attack requires user interaction, specifically requiring the victim to view a malicious PDF document through an affected application. The network-based attack vector combined with the potential for high confidentiality and integrity impact makes this vulnerability particularly concerning for applications that process user-uploaded PDF files.
Root Cause
The root cause of this vulnerability lies in the insecure default configuration of the isEvalSupported option in PDF.js. When enabled, the library uses dynamic code evaluation to process certain PDF features, which can be abused by attackers who craft malicious PDF files containing JavaScript payloads. The react-pdf library, which wraps PDF.js for React applications, inherited this vulnerable default configuration.
Attack Vector
The attack requires an adversary to craft a malicious PDF file containing embedded JavaScript code. When a victim views this PDF through a vulnerable react-pdf implementation, the malicious JavaScript executes within the browser context of the hosting domain. This can be achieved through various means including:
- Uploading a malicious PDF to a file sharing platform
- Sending the malicious PDF via email with a link to view it in an affected application
- Hosting the malicious PDF and convincing users to view it through a vulnerable document viewer
The attacker-controlled JavaScript can then access cookies, session tokens, and other sensitive data, perform actions on behalf of the authenticated user, or redirect users to malicious websites.
Detection Methods for CVE-2024-34342
Indicators of Compromise
- Unexpected JavaScript execution events originating from PDF rendering components
- Suspicious PDF files containing embedded JavaScript with unusual or obfuscated code
- Client-side errors or anomalous behavior when rendering PDF documents
- Network requests to unauthorized external domains initiated from PDF viewer contexts
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Monitor client-side JavaScript errors for anomalies related to PDF rendering
- Analyze uploaded PDF files for embedded JavaScript content before allowing viewing
- Deploy web application firewalls with rules to inspect PDF content for malicious payloads
Monitoring Recommendations
- Enable logging for all PDF file uploads and rendering events in affected applications
- Monitor for CSP violation reports that may indicate attempted exploitation
- Implement file integrity monitoring for any cached or stored PDF files
- Set up alerts for unusual patterns in PDF-related JavaScript execution
How to Mitigate CVE-2024-34342
Immediate Actions Required
- Update react-pdf to version 7.7.3 or later for the 7.x branch
- Update react-pdf to version 8.0.2 or later for the 8.x branch
- Set isEvalSupported to false in PDF.js configuration as a temporary workaround
- Review and audit any applications that allow user-uploaded PDF files
Patch Information
The vulnerability has been fixed in react-pdf versions 7.7.3 and 8.0.2. The fixes address the insecure default configuration and prevent malicious JavaScript execution from PDF documents. For detailed information about the patches, refer to the React PDF Security Advisory and the related Mozilla PDF.js Security Advisory.
Workarounds
- Configure isEvalSupported to false in your PDF.js options to disable dynamic code evaluation
- Implement server-side PDF sanitization to strip embedded JavaScript before serving files
- Use Content Security Policy headers to restrict script execution sources
- Consider implementing PDF file validation that rejects documents containing JavaScript
# Configuration example for disabling isEvalSupported in react-pdf
# In your React component where you initialize the PDF viewer:
# Set the options object with isEvalSupported: false
# Example npm commands to update to patched versions:
npm update react-pdf@7.7.3 # For 7.x branch
npm update react-pdf@8.0.2 # For 8.x branch
# Verify installed version
npm list react-pdf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
