CVE-2024-4367 is a high-severity (CVSS 8.8) vulnerability in PDF.js versions prior to 4.2.67 that allows arbitrary JavaScript execution. The flaw stems from the FontMatrix array in PDF font definitions accepting non-numeric values without validation. These values are directly embedded into dynamically generated JavaScript via the getPathGenerator() function, enabling injection attacks. An attacker can craft a malicious PDF with a specially formed FontMatrix payload to execute arbitrary JS when the PDF is rendered, enabling session hijacking, data exfiltration, and CSRF-style attacks. Mitigations include upgrading to 4.2.67+, setting isEvalSupported to false, validating FontMatrix values as numeric, and sandboxing PDF rendering in iframes.
Table of contents
ContextThe ProblemVulnerability ExplainerGet Vansh’s stories in your inboxExploitationPatchingSort: