High Severity issue in PDF.js version <= 4.1.392

JustinChase · April 21, 2025, 6:28pm

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Transitive dependency pdfjs-dist 2.16.105 is introduced via

@forge/react 11.1.0 … pdfjs-dist 2.16.105

Package	Affected versions	Patched version
`pdfjs-dist` (npm)	`<= 4.1.392`	`4.2.67`

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
mozilla/pdf.js#18015

Workarounds

Set the option isEvalSupported to false.

References

Above is a message reported by Dependabot which results in a High security vulnerability issue which is being flagged by my companies security team as something that requires resolution.

Please update the @forge/react project to have pdfjs-dist@4.2.67

MattDoar · April 21, 2025, 7:08pm

Worth reporting to Atlassian using the regular approach?

JustinChase · April 22, 2025, 4:48pm

Its not actually a vulnerability in the Jira forge code itself but rather just a dependency update, therefore I don’t think its appropriate to use that channel.

There is a lot of boundaries to filing issues, we’re working with our tenant admin to get a ticket created over there, I don’t seem to have access to the Jira Jira anymore, in the meantime I’m hoping to document it here in hopes it would get picked up by someone on the dev team asap.

MattDoar · April 22, 2025, 6:15pm

I think that if it affects Forge in some way, it’s worth following the documented procedure. It’s optimistic to think that an Atlassian dev will read this post.

StefanBche · April 28, 2025, 2:22pm

In our app, dependabot reports 13 medium and 12 high vulnerabilites. All of those are introduced as dependencies from some Atlassian components. pdf.js is one of them, I really would love to see Atlassian update their dependencies to more recent versions.

JustinChase · May 30, 2025, 2:32pm

By the way I did end up filing this as an issue with their support team, it is still pending but they said it was going to be fixed in the next release.

nathanwaters · June 24, 2025, 6:40am

@JustinChase can you ping them again?

Issue persists in @forge/react@11.2.4

JustinChase · June 24, 2025, 1:17pm

I do have an update on this. The fix is delayed because it requires an overall update of the rest of their code to nodejs 22. They’re working on it but it hasn’t been deployed yet.

However, you can work around the issue by upgrading your own code to nodejs 22 and then using an override in your package.json file. It does not work on nodejs 20 or less.

package.json

{
	// ...
	"engines": {
		"node": ">=22.11.0"
	},
	"overrides": {
		"pdfjs-dist": "^4.2.67"
	}
}