Note on pdfjs-dist
security vulnerability
#1786
Replies: 5 comments 12 replies
-
Thanks for the great detail! |
Beta Was this translation helpful? Give feedback.
-
Appreciate the detail laid out here. However this puts us in an awkward spot. I don't want to turn off my pre-commit hook that checks for security vulnerabilities and if I keep the pre-commit hook on this will keep failing until Is there a timetable for the longterm plan or would you recommend looking for new solutions outside of react-pdf? |
Beta Was this translation helpful? Give feedback.
-
Thx for this announcement, it really clears things up for my team! We use this package and the date picker too, they kill perfectly our pain points of UI developement, well maintained with great communications! Hope for the best of this security issue! |
Beta Was this translation helpful? Give feedback.
-
Finally mozilla/pdf.js#18051 got released https://github.com/mozilla/pdf.js/releases/tag/v4.3.136 🚀 |
Beta Was this translation helpful? Give feedback.
-
migrating to v9 for the security fix is a pretty heavy lift if you're not already on esm builds. any chance to port just the security fix back to v8 so we can get the fix and update to ESM in our own time? |
Beta Was this translation helpful? Give feedback.
-
Important
What happened?
GHSA-wgrm-67xf-hhpq security advisory has been published in
pdfjs-dist
, a key dependency of ours, noting the use ofeval
, potentially allowing malicious PDF files to execute unrestricted attacker-controlled JavaScript in the context of the hosting domain.Important: this vulnerability is only exploitable when
isEvalSupported
option is set totrue
(default).How we addressed the vulnerability in React-PDF?
isEvalSupported
option is now forcefully being set tofalse
, completely removing the attack vector. This patch has been released in versions 7.7.3 and 8.0.2.Security audit still fail! What can I do?
pdfjs-dist
that's potentially exploitable. This is expected if you're using React-PDF version older than 9.0.0.pdfjs-dist
vulnerability not exploitable.Why didn't you just update
pdfjs-dist
to the latest version immediately?It was the long term plan, but it was too early to leave v7/v8 users behind. Updating
pdfjs-dist
to the latest version was a breaking change. This meant leaving v7 and v8 users behind. A quick, non-breaking patch release was, I believe, welcome by most.Furthermore,
pdfjs-dist
versions earlier than 4.3.136 included changes that would break many setups, even the most modern ones.Beta Was this translation helpful? Give feedback.
All reactions