PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Transitive dependency pdfjs-dist 2.16.105 is introduced via

• @forge/react 11.1.0 … pdfjs-dist 2.16.105

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
mozilla/pdf.js#18015

Workarounds

Set the option isEvalSupported to false.

References

Above is a message reported by Dependabot which results in a High security vulnerability issue which is being flagged by my companies security team as something that requires resolution.

Please update the @forge/react project to have pdfjs-dist@4.2.67

Screenshot 2025-04-21 at 1.22.22 PM1443×1063 132 KB

Worth reporting to Atlassian using the regular approach?

Its not actually a vulnerability in the Jira forge code itself but rather just a dependency update, therefore I don’t think its appropriate to use that channel.

There is a lot of boundaries to filing issues, we’re working with our tenant admin to get a ticket created over there, I don’t seem to have access to the Jira Jira anymore, in the meantime I’m hoping to document it here in hopes it would get picked up by someone on the dev team asap.

I think that if it affects Forge in some way, it’s worth following the documented procedure. It’s optimistic to think that an Atlassian dev will read this post.

In our app, dependabot reports 13 medium and 12 high vulnerabilites. All of those are introduced as dependencies from some Atlassian components. pdf.js is one of them, I really would love to see Atlassian update their dependencies to more recent versions.