Note on pdfjs-dist
security vulnerability
#1786
Replies: 3 comments 5 replies
-
Thanks for the great detail! |
Beta Was this translation helpful? Give feedback.
-
Appreciate the detail laid out here. However this puts us in an awkward spot. I don't want to turn off my pre-commit hook that checks for security vulnerabilities and if I keep the pre-commit hook on this will keep failing until Is there a timetable for the longterm plan or would you recommend looking for new solutions outside of react-pdf? |
Beta Was this translation helpful? Give feedback.
-
Thx for this announcement, it really clears things up for my team! We use this package and the date picker too, they kill perfectly our pain points of UI developement, well maintained with great communications! Hope for the best of this security issue! |
Beta Was this translation helpful? Give feedback.
-
Important
What happened?
GHSA-wgrm-67xf-hhpq security advisory has been published in
pdfjs-dist
, a key dependency of ours, noting the use ofeval
, potentially allowing malicious PDF files to execute unrestricted attacker-controlled JavaScript in the context of the hosting domain.Important: this vulnerability is only exploitable when
isEvalSupported
option is set totrue
(default).How we addressed the vulnerability in React-PDF?
isEvalSupported
option is now forcefully being set tofalse
, completely removing the attack vector. This patch has been released in versions 7.7.3 and 8.0.2.Security audit still fail! What can I do?
pdfjs-dist
that's potentially exploitable. This is expected.pdfjs-dist
vulnerability not exploitable.Why didn't you just update
pdfjs-dist
to the latest version?I'm glad you asked. It is the long term plan, but…
It's too early to leave v7/v8 users behind
Without any doubt, updating
pdfjs-dist
to the latest version will be a breaking change. This would mean leaving v7 and v8 users behind. A quick, non-breaking patch release is, I believe, welcome by most. Upgrade ofpdfjs-dist
to 4.2.67 or later will come in two stages.workerSrc
svg
renderMode
structuredClone
(e.g. Chrome <98) unless polyfilledes2022
, effectively raising minimum supported browser versions to Chrome 94, Safari 16.4, Firefox 93, and Opera 80. These minimums make it unacceptable by most, and will cause nothing but the users stuck on older (vulnerable!) React-PDF versions. See 4.0.189: Top-level await is not available in the configured target environment ("chrome87", "edge88", "es2020", "firefox78", "safari14" + 2 overrides) mozilla/pdf.js#17245 for details.Working around top-level await issue requires a major rewrite
One potential workaround for top level await issue would be to load
pdfjs-dist
asynchronously usinguse()
(for which I even have a "polyfill" for React 18!), but that would mean we would need to completely rewrite React-PDF to use Suspense for handling all Promises. Unless a huge donation (or donations) is made, that would allow me to take some time off and work on this matter full time, this will not happen anytime soon.There is hope!
Usage of top level await has been removed in mozilla/pdf.js#18051. When this gets released "at the end of the month" (May 2024), the release containing this change is going to make it significantly easier for us to upgrade to, and despite some unavoidable breaking changes like raising minimum browser versions, it's undoubtedly going to be a no-brainer upgrade for us.
Beta Was this translation helpful? Give feedback.
All reactions