FixVibe

// code / spotlight

PDF.js JavaScript Execution Advisory

A vulnerable PDF viewer can turn a malicious document into script execution.

Il gancio

PDF viewers often sit in document workflows that handle invoices, contracts, resumes, uploads, and support attachments. When PDF.js is in the affected range, rendering a malicious PDF can execute attacker-controlled JavaScript in the hosting page's origin.

Come funziona

The repo check looks for `pdfjs-dist` in npm dependency files and lockfiles. Exact lockfile versions produce high-confidence findings; broad package.json ranges are reported when they clearly allow PDF.js releases up to and including 4.1.392.

Il raggio d'azione

If an app renders untrusted PDFs with the vulnerable runtime, attacker-controlled script may run in the browser context that hosts the viewer. Depending on the page, that can expose session data, document content, tenant metadata, or actions available to the signed-in user.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Upgrade `pdfjs-dist` to 4.2.67 or newer, regenerate the active lockfile, and rebuild every PDF viewer bundle and worker asset. If untrusted PDFs must be rendered before the upgrade rolls out, use `isEvalSupported: false` where compatible as temporary defense-in-depth.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Codice sorgente
116
test eseguiti in questa categoria
modules
76
controlli dedicati a codice sorgente
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

PDF.js JavaScript Execution Advisory — Vulnerabilità in primo piano | FixVibe · FixVibe