Skip to content

Arbitrary JavaScript execution due to using outdated libraries

Low severity GitHub Reviewed Published Jun 4, 2024 in freddyaboulton/gradio-pdf • Updated Jun 5, 2024

Package

pip gradio_pdf (pip)

Affected versions

< 0.0.10

Patched versions

0.0.10

Description

Summary

gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.

PoC

  1. Generate a pdf file with a malicious script in the fontmatrix. (This will run alert(‘XSS’).)
    poc.pdf

  2. Run the app. In this PoC, I've used the demo for a simple proof.
    1

  3. Upload a PDF file containing the script.
    2

  4. Check that the script is running.
    3

Impact

Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

Mitigation

Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option isEvalSupported to false.)

Reference

  1. https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
  2. mozilla/pdf.js#18015

References

@freddyaboulton freddyaboulton published to freddyaboulton/gradio-pdf Jun 4, 2024
Published to the GitHub Advisory Database Jun 5, 2024
Reviewed Jun 5, 2024
Last updated Jun 5, 2024

Severity

Low
3.6
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-4m3g-6r7g-jv4f

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.