Critical Security Vulnerability in dependency package "pdfjs"

Question

Critical Security Vulnerability in dependency package "pdfjs"

bdalvandi-awaremd opened this issue 3 months ago · 6 comments

bdalvandi-awaremd commented 3 months ago

Bug Report or Feature Request (mark with an `x`)

- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [X] Bug report -> please search issues before submitting
- [ ] Feature request
- [ ] Documentation issue or request

The latest version of ng2-pdf-viewer (10.2.2) has a dependency to pdfjs-dist version 3.11.x which has recently been discovered to have an extremely critical vulnerability, allowing attacks on the domain.
The latest version of pdfjs-dist has remediated that vulnerability, I am wondering if a new version of ng2-pdf-viewer coming out soon that uses the latest version and remediates this vulnerability?

shamoon commented 3 months ago

... #1105

❤️1

Answer 1 · 2024-06-28T17:39:00.000Z

Did you search? Multiple issues cover this already

Answer 2 · 2024-06-28T19:38:17.000Z

Did you search? Multiple issues cover this already

Yes. But I don't see any of them clearly explaining how to overcome the vulnerability. The closest thing I have seen is ppl mentioning to set the eval to false or something, but where and how is not clear.
Can you by any chance point me to a clear solution? thanks.

Answer 3 · 2024-07-02T21:12:13.000Z

I agree it's not clear how to resolve this security issue. Is there a patch or update coming?

Answer 4 · 2024-07-03T06:47:13.000Z

Did you try reading the release notes, eg for v10.2.0?

#1092 resolves the CVE but does not update the pdfjs package to 4.x, so automated security tools will still complain even though the issue is resolved.

Answer 5 · 2024-07-03T22:09:01.000Z

Does anyone know what is the effort to update the dependency to pdfjs 4.x?

Bug Report or Feature Request (mark with an x)

Bug Report or Feature Request (mark with an `x`)