VulnerableCode Package Details - pkg:npm/pdfjs-dist@1.2.52

Search for packages

Vulnerability	Summary	Fixed by
VCID-89es-k3ja-1be1 Aliases: CVE-2024-4367 GHSA-wgrm-67xf-hhpq	PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF ### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645	4.2.67 Affected by 0 other vulnerabilities.
VCID-mfwc-dm4n-vbey Aliases: CVE-2018-5158 GHSA-7jg2-jgv3-fmr4	Code injection The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.	1.10.100 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.0.550 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-89es-k3ja-1be1
Aliases:
CVE-2024-4367
GHSA-wgrm-67xf-hhpq

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF ### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

4.2.67
Affected by 0 other vulnerabilities.

VCID-mfwc-dm4n-vbey
Aliases:
CVE-2018-5158
GHSA-7jg2-jgv3-fmr4

Code injection The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.

1.10.100
Affected by 1 other vulnerability.

2.0.550
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:57:27.060053+00:00	GitLab Importer	Affected by	VCID-89es-k3ja-1be1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2024-4367.yml	38.4.0
2026-04-16T20:45:11.445681+00:00	GitLab Importer	Affected by	VCID-mfwc-dm4n-vbey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2018-5158.yml	38.4.0
2026-04-12T00:15:33.009346+00:00	GitLab Importer	Affected by	VCID-89es-k3ja-1be1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2024-4367.yml	38.3.0
2026-04-11T21:55:55.464896+00:00	GitLab Importer	Affected by	VCID-mfwc-dm4n-vbey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2018-5158.yml	38.3.0
2026-04-03T00:22:31.879919+00:00	GitLab Importer	Affected by	VCID-89es-k3ja-1be1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2024-4367.yml	38.1.0
2026-04-02T22:09:22.402957+00:00	GitLab Importer	Affected by	VCID-mfwc-dm4n-vbey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2018-5158.yml	38.1.0
2026-04-01T16:26:34.688273+00:00	GitLab Importer	Affected by	VCID-mfwc-dm4n-vbey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2018-5158.yml	38.0.0