CVE-2024-34342 in react-pdf
Summary
by MITRE • 05/07/2024
react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/31/2025
The vulnerability identified as CVE-2024-34342 affects the react-pdf library, a popular component for rendering PDF documents within react applications. This issue stems from the underlying PDF.js library integration where the default configuration allows for unrestricted JavaScript execution when processing malicious PDF files. The flaw specifically manifests when the `isEvalSupported` parameter is set to true, which represents the default setting in PDF.js, creating a critical security risk for applications that process untrusted PDF content.
The technical exploitation of this vulnerability occurs through maliciously crafted PDF files that contain attacker-controlled JavaScript code. When react-pdf processes such documents with the default PDF.js configuration, the JavaScript code embedded within the PDF gets executed in the same security context as the hosting web application. This cross-site scripting scenario allows attackers to potentially steal user session data, perform actions on behalf of users, or exfiltrate sensitive information from the application's domain context. The vulnerability represents a classic server-side request forgery and code injection vector that bypasses typical browser security mechanisms.
The operational impact of this vulnerability extends beyond simple XSS attacks as it can enable full compromise of user sessions and data exfiltration within the application's security boundaries. Applications using react-pdf for document processing, particularly those handling user-uploaded or third-party PDF files, become vulnerable to persistent threats. The default configuration of PDF.js makes this vulnerability particularly dangerous as organizations may unknowingly expose their applications to risk without explicit configuration changes. This issue affects not only web applications but also mobile applications that utilize react-native-pdf or similar components that may share similar underlying vulnerabilities.
Mitigation strategies for CVE-2024-34342 include immediate upgrading to react-pdf versions 7.7.3 or 8.0.2 where the vulnerability has been patched. Organizations should also explicitly set `isEvalSupported` to false in their PDF.js configurations when processing untrusted content, effectively disabling JavaScript execution within PDF documents. Additional protective measures include implementing strict content validation, using sandboxed environments for PDF processing, and employing web application firewalls to detect and block malicious PDF content. The vulnerability aligns with CWE-94, which describes improper control of generation of code, and maps to ATT&CK technique T1203, which covers Exploitation for Client Execution, highlighting the need for comprehensive application security controls. Security teams should also consider implementing automated scanning for vulnerable library versions and establishing secure coding practices for PDF processing components within their applications.