Why You Should be AFRAID of PDF Files - PDF.js CVE-2024-4367

Snyk

Jun 10, 2024

Use Snyk for free to find and fix security issues in your applications today! https://snyk.co/ugLYn

A significant vulnerability was discovered in the widely used library PDF.js. In this video, we take a look at what the vulnerability is, where it came from, who it impacts and how you can mitigate it.

✍️ Resources ✍️

Codean Labs Article: https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
Mozilla Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4367
CVE.org CVE-2024-4367: https://www.cve.org/CVERecord
PDF.js repository: https://github.com/mozilla/pdf.js
pdfjs-dist package: https://snyk.co/ug12N
Snyk Advisor: https://snyk.co/advisor
Free Sign up for Snyk: https://snyk.co/ugLYn
react-pdf package: https://snyk.co/ug12F
Demo Repository: http://github.com/clarkio/pdfjs-vuln-demo

⏲️ Chapters ⏲️

00:00 - Intro

00:48 - Understanding PDF Files

01:52 - What is the Vulnerability?

04:02 - Exploring the PDF.js Library

05:27 - Exploring the Vulnerability in a Sample Application

08:18 - Exploiting The Vulnerability

10:22 - Loading Remote JavaScript Code with Gist

11:52 - PDF Vulnerability Demo with Svelte and Vue

13:01 - PDF Vulnerability in Desktop Applications

14:11 - PDF Vulnerability in VS Code Extensions

15:59 - How to Mitigate this Vulnerability with Snyk

18:07 - Other Ways to Mitigate the Vulnerability

18:50 - Outro

⚒️ About Snyk ⚒️

Snyk helps you find and fix vulnerabilities in your code, open-source dependencies, containers, infrastructure-as-code, software pipelines, IDEs, and more! Move fast, stay secure.

Learn more about Snyk: https://snyk.co/ugLYl

📱 Connect with Us 📱

🖥️ Website: https://snyk.co/ugLYl
🐦 X: http://twitter.com/snyksec
💼 LinkedIn: https://www.linkedin.com/company/snyk
💬 Discord: https://discord.gg/devsecops-community-918181751526948884