CVE-2024-34342 - react-pdf version exposed

Question

CVE-2024-34342 - react-pdf version exposed

Closed this issue 4 months ago · 2 comments

Description

react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2.

https://www.npmjs.com/package/react-pdf current available version is 9.1.1, compared to dependencie versions 5.7.1 used by react-notion-x as of today (v6.16.0)

version 9.1.1 is compatible for react version >= 16.8

Answer 1 · 2024-11-01T04:46:45.000Z

Should be fixed by #571 which updates to react-pdf to latest.

Answer 2 · 2024-11-01T04:46:52.000Z

Thanks @kevbarns 🙏