VulnerableCode Package Details - pkg:npm/pdfjs-dist@2.0.550

Search for packages

Vulnerability	Summary	Fixed by
VCID-89es-k3ja-1be1 Aliases: CVE-2024-4367 GHSA-wgrm-67xf-hhpq	PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF ### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645	4.2.67 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-89es-k3ja-1be1
Aliases:
CVE-2024-4367
GHSA-wgrm-67xf-hhpq

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF ### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

4.2.67
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mfwc-dm4n-vbey	Code injection The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.	CVE-2018-5158 GHSA-7jg2-jgv3-fmr4

Vulnerability

Summary

Aliases

VCID-mfwc-dm4n-vbey

Code injection The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.

CVE-2018-5158
GHSA-7jg2-jgv3-fmr4

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:57:30.607025+00:00	GitLab Importer	Affected by	VCID-89es-k3ja-1be1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2024-4367.yml	38.4.0
2026-04-12T00:15:34.887893+00:00	GitLab Importer	Affected by	VCID-89es-k3ja-1be1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2024-4367.yml	38.3.0
2026-04-04T14:30:31.989578+00:00	GHSA Importer	Fixing	VCID-mfwc-dm4n-vbey	https://github.com/advisories/GHSA-7jg2-jgv3-fmr4	38.1.0
2026-04-03T00:22:35.974579+00:00	GitLab Importer	Affected by	VCID-89es-k3ja-1be1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pdfjs-dist/CVE-2024-4367.yml	38.1.0
2026-04-01T13:09:18.340599+00:00	GithubOSV Importer	Fixing	VCID-mfwc-dm4n-vbey	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7jg2-jgv3-fmr4/GHSA-7jg2-jgv3-fmr4.json	38.0.0