Aikido Intel
Secure My Code
Intel

AIKIDO-2024-10104

ngx-extended-pdf-viewer is vulnerable to Eval Injection

Eval InjectionCVE-2024-4367 Published May 27, 2024

75

High Risk

This Affects:

JSngx-extended-pdf-viewer
0.0.1 - 20.0.2
Fixed in 20.1.0
Are you affected? Scan for Free

TL;DR

Affected versions of the package are vulnerable to eval injection. If pdf.js is used to load a malicious PDF and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

ngx-extended-pdf-viewer is vulnerable to Eval Injection in versions 0.0.1 - 20.0.2.

How to fix this

Upgrade the ngx-extended-pdf-viewer library to the patch version.

Links

Other

github.com/stephanrauh/ngx-extended-pdf-viewer/compare/stephanrauh:9b105d3...stephanrauh:dbceda9
https://github.com/stephanrauh/ngx-extended-pdf-viewer/compare/stephanrauh:9b105d3...stephanrauh:dbceda9
bugzilla.mozilla.org/show_bug.cgi?id=1893645
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
lists.debian.org/debian-lts-announce/2024/05/msg00010.html
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
lists.debian.org/debian-lts-announce/2024/05/msg00012.html
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
mozilla.org/security/advisories/mfsa2024-21/
https://www.mozilla.org/security/advisories/mfsa2024-21/
mozilla.org/security/advisories/mfsa2024-22/
https://www.mozilla.org/security/advisories/mfsa2024-22/
mozilla.org/security/advisories/mfsa2024-23/
https://www.mozilla.org/security/advisories/mfsa2024-23/
seclists.org/fulldisclosure/2024/Aug/30
http://seclists.org/fulldisclosure/2024/Aug/30
codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
exploit-db.com/exploits/52273
https://www.exploit-db.com/exploits/52273
cert-portal.siemens.com/productcert/html/ssa-827383.html
https://cert-portal.siemens.com/productcert/html/ssa-827383.html

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done