Summary
gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.
PoC
-
Generate a pdf file with a malicious script in the fontmatrix. (This will run alert(‘XSS’)
.)
poc.pdf
-
Run the app. In this PoC, I've used the demo for a simple proof.
![1](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/d1bb7626-3d0f-4984-8873-297658d6e77e)
-
Upload a PDF file containing the script.
![2](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/803d8080-c946-446e-bb34-cf5640e1b4de)
-
Check that the script is running.
![3](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/4956b95f-acca-4bb1-a3c2-7dfc96adf890)
Impact
Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.
Mitigation
Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option isEvalSupported
to false
.)
Reference
- https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
- mozilla/pdf.js#18015
References
Summary
gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.
PoC
Generate a pdf file with a malicious script in the fontmatrix. (This will run
alert(‘XSS’)
.)poc.pdf
Run the app. In this PoC, I've used the demo for a simple proof.
![1](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/d1bb7626-3d0f-4984-8873-297658d6e77e)
Upload a PDF file containing the script.
![2](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/803d8080-c946-446e-bb34-cf5640e1b4de)
Check that the script is running.
![3](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/4956b95f-acca-4bb1-a3c2-7dfc96adf890)
Impact
Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.
Mitigation
Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option
isEvalSupported
tofalse
.)Reference
References