A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Loading...
Loading...
This high-severity CVE scores 8.8 under NVD CVSS v3. EPSS exploit probability: 38.3%, top 3% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
May 14, 2024
May 12, 2026
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| pdfjs-dist | — | 4.2.67 | — |
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
RHSA-2024:2881 — Important
RHSA-2024:2882 — Important
RHSA-2024:2883 — Important
RHSA-2024:2884 — Important
RHSA-2024:2885 — Important
RHSA-2024:2886 — Important
RHSA-2024:2887 — Important
RHSA-2024:2888 — Important
RHSA-2024:2903 — Important
RHSA-2024:2904 — Important
RHSA-2024:2905 — Important
RHSA-2024:2906 — Important
RHSA-2024:2911 — Important
RHSA-2024:2912 — Important
RHSA-2024:2913 — Important
RHSA-2024:3338 — Important
RHSA-2024:3783 — Important
RHSA-2024:3784 — Important
Firefox vulnerabilities
Thunderbird vulnerabilities
Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.
Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
Odoo ≤17 is vulnerable to CVE-2024-4367, allowing arbitrary JavaScript execution via PDF.js.
Open source ↗Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution
Open source ↗CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js, allowing arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files.
Open source ↗PoC - Prueba de Concepto de CVE-2024-4367 en conjunto al CVE-2023-38831 en un solo Script
Open source ↗This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367
Open source ↗PDF.js是由Mozilla维护的基于JavaScript的PDF查看器。此漏洞允许攻击者在打开恶意 PDF 文件后立即执行任意 JavaScript 代码。这会影响所有 Firefox 用户 (<126),因为 Firefox 使用 PDF.js 来显示 PDF 文件,但也严重影响了许多基于 Web 和 Electron 的应用程序,这些应用程序(间接)使用 PDF.js 进行预览功能。
Open source ↗YARA detection rule for CVE-2024-4367 arbitrary javascript execution in PDF.js
Open source ↗This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367
Open source ↗CVE-2024-4367 & CVE-2024-34342 Proof of Concept
Open source ↗See which npm, PyPI, Go, and Maven packages are affected by CVE-2024-4367
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.
redhat
CWE-754