CVE-2024-4367 Overview
CVE-2024-4367 is a type confusion vulnerability in PDF.js, Mozilla's JavaScript-based PDF viewer library. A missing type check when handling fonts in PDF documents allows attackers to execute arbitrary JavaScript code within the PDF.js context. This vulnerability is particularly dangerous because PDF.js is embedded in Firefox, Thunderbird, and numerous web applications that render PDF documents.
Critical Impact
Arbitrary JavaScript execution through maliciously crafted PDF documents can lead to complete compromise of user sessions, data exfiltration, and further exploitation of affected browsers and applications.
Affected Products
- Mozilla Firefox (versions prior to 126)
- Mozilla Firefox ESR (versions prior to 115.11)
- Mozilla Thunderbird (versions prior to 115.11)
- Debian Linux 10.0
- Open-Xchange AppSuite Frontend (multiple versions through 7.10.6 revision 44)
Discovery Timeline
- May 14, 2024 - CVE-2024-4367 published to NVD
- April 24, 2025 - Last updated in NVD database
Technical Details for CVE-2024-4367
Vulnerability Analysis
The vulnerability resides in PDF.js's font handling code, specifically in how the library processes font definitions embedded within PDF documents. PDF.js parses font data to render text accurately, but a critical type check was missing during this processing phase. When the font handler receives unexpected input types, instead of validating and rejecting malformed data, the code proceeds to process the attacker-controlled content.
This improper validation creates a condition where an attacker can inject JavaScript code that gets evaluated in the PDF.js execution context. Since PDF.js runs with the same privileges as the hosting application (whether Firefox, Thunderbird, or a web application), successful exploitation grants the attacker significant access to perform actions on behalf of the user.
The vulnerability is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions), reflecting the missing validation that should have caught the malformed font data.
Root Cause
The root cause is a missing type check in the font processing logic of PDF.js. When parsing font definitions from PDF documents, the code expected specific data types but failed to validate input before use. This allowed an attacker to supply a malicious value where a legitimate font property was expected, which then got interpreted and executed as JavaScript code rather than being rejected as invalid input.
Attack Vector
Exploitation requires user interaction—specifically, opening a maliciously crafted PDF document. The attack vector is network-based, meaning attackers can distribute malicious PDFs through various channels:
- Email attachments opened in Thunderbird or webmail clients using PDF.js
- PDF files hosted on websites and viewed in Firefox's built-in PDF viewer
- Documents uploaded to web applications that use PDF.js for rendering
- Phishing campaigns directing victims to malicious PDF links
The attacker crafts a PDF document with a specially constructed font definition containing JavaScript payload. When the victim opens this PDF in any application using a vulnerable PDF.js version, the payload executes within the application's context.
A proof-of-concept is publicly available at the Kabiri Labs GitHub repository, and detailed technical analysis has been published by Codean Labs. An exploit has also been documented on Exploit-DB #52273.
Detection Methods for CVE-2024-4367
Indicators of Compromise
- Unexpected JavaScript execution events originating from PDF rendering processes
- Browser or email client processes spawning unusual child processes after PDF file access
- Network connections initiated from PDF viewer contexts to unknown external hosts
- Anomalous font-related errors in PDF.js console logs followed by script execution
Detection Strategies
- Monitor for suspicious PDF files containing unusual font definitions or embedded scripts
- Implement content inspection rules to detect known PoC signatures in PDF documents
- Deploy endpoint detection rules that alert on JavaScript execution patterns from PDF rendering engines
- Review browser extension and application logs for PDF.js-related errors preceding suspicious activity
Monitoring Recommendations
- Enable verbose logging for PDF.js in development and staging environments to identify exploitation attempts
- Configure security information and event management (SIEM) rules to correlate PDF file access with subsequent anomalous JavaScript execution
- Monitor network traffic for connections initiated immediately after PDF file rendering in browsers
- Implement file integrity monitoring for applications embedding PDF.js to detect unauthorized modifications
How to Mitigate CVE-2024-4367
Immediate Actions Required
- Update Mozilla Firefox to version 126 or later immediately
- Update Mozilla Firefox ESR to version 115.11 or later
- Update Mozilla Thunderbird to version 115.11 or later
- Update PDF.js library to version 4.2.67 or later in all web applications using embedded PDF rendering
- Review and update Open-Xchange AppSuite Frontend deployments to patched versions
Patch Information
Mozilla has released security updates addressing this vulnerability across all affected products. The fixes are documented in MFSA-2024-21, MFSA-2024-22, and MFSA-2024-23. The standalone PDF.js library was patched in version 4.2.67. Debian has also released security updates documented in their LTS announcements. The original bug tracking can be found at Mozilla Bug #1893645.
Workarounds
- Disable the built-in PDF viewer in Firefox and use an alternative PDF reader until patching is complete
- Configure email clients to download PDF attachments rather than rendering them inline
- Implement web application firewalls (WAF) rules to block PDF files containing suspicious font structures
- For web applications using PDF.js, consider server-side PDF rendering with sanitization until the library can be updated
# Firefox configuration to disable built-in PDF viewer (about:config)
# Set pdfjs.disabled to true to use external PDF reader
user_pref("pdfjs.disabled", true);
# Verify Firefox version is patched
firefox --version
# Should show 126.0 or higher for standard release
# Should show 115.11 or higher for ESR
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
