PDF.js Arbitrary JavaScript Code Execution (CVE-2024-4367)

Today we’ll explore CVE-2024–4367 a critical PDF.js vulnerability that allows arbitrary JavaScript execution. Lets break it down and learn how to identify and mitigate it.

Introduction

CVE-2024–4367 is a critical security vulnerability in PDF.js a popular JavaScript based PDF viewer managed by Mozilla. This vulnerability allows attackers to execute unauthorized JavaScript code by embedding malicious scripts into PDF files. The issue arises from missing type checks when handling font data making it possible to exploit and inject scripts.

How to Find this bug

1. Go to any website file upload field where pdf upload is supported
2. Now check the Wappalyzer extension on the file upload endpoint if its pdf.js below 4.2.67 or not showing any version then it means it is more likely vulnerable
3. Embed JavaScript payloads by manipulating the FontMatrix array within the PDF. example

/FontMatrix [1 0 0 1 0 (0\); alert(‘Exploited CVE-2024–4367’)//)]

You can also download the pdf with domains and cookie popup from my github repo in the pdFExploit Repository:

coffinxp - Overview

4. Now upload these pdf in the upload field and it will give you an xss popup with a cookie. You can also try the calculator RCE in the same pdf i added all the exploits in my pdf repo.

Mitigation

1. Upgrade to PDF.js version 4.2.67 or higher where the issue is patched
2. Make sure applications that rely on PDF.js such as web platforms or Electron apps are updated to include the patched version
3. Sanitize PDF Inputs: Employ robust…