{"id":"CVE-2024-4367","details":"A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11.","aliases":["GHSA-wgrm-67xf-hhpq"],"modified":"2026-04-02T12:18:28.947600Z","published":"2024-05-14T18:15:12.467Z","related":["ALSA-2024:2883","ALSA-2024:2888","ALSA-2024:3783","ALSA-2024:3784","CGA-9prp-5j33-cxv9","MGASA-2024-0189","MGASA-2024-0191","SUSE-SU-2024:1676-1","SUSE-SU-2024:1770-1","SUSE-SU-2024:1858-1","openSUSE-SU-2024:13980-1","openSUSE-SU-2024:13981-1","openSUSE-SU-2024:14572-1"],"references":[{"type":"WEB","url":"https://www.exploit-db.com/exploits/52273"},{"type":"WEB","url":"https://github.com/mozilla/pdf.js/releases/tag/v4.2.67"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2024-21/"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2024-22/"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2024-23/"},{"type":"REPORT","url":"https://github.com/gogs/gogs/issues/7928"},{"type":"REPORT","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1893645"},{"type":"ARTICLE","url":"http://seclists.org/fulldisclosure/2024/Aug/30"},{"type":"ARTICLE","url":"https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mozilla/pdf.js","events":[{"introduced":"0"},{"fixed":"49b388101a53f1ff81390fab8336d02acf06a582"}]}],"versions":["1.0.277","help","milestone-0.2","v0.1.0","v0.3.459","v0.4.11","v0.5.5","v0.8.1181","v0.8.1334","v1.0.1040","v1.0.1149","v1.0.1207","v1.0.1208","v1.0.1209","v1.0.1210","v1.0.1211","v1.0.1212","v1.0.1213","v1.0.2","v1.0.21","v1.0.277","v1.0.403","v1.0.473","v1.0.68","v1.0.712","v1.0.907","v1.1.1","v1.1.114","v1.1.215","v1.1.3","v1.1.366","v1.1.469","v1.10.100","v1.10.88","v1.2.109","v1.3.88","v1.3.91","v1.4.11","v1.4.20","v1.5.188","v1.6.210","v1.7.225","v1.8.170","v1.8.188","v1.9.426","v2.0.943","v2.1.266","v2.10.377","v2.11.338","v2.12.313","v2.12.70_esr","v2.13.216","v2.13.94_beta","v2.14.305","v2.15.349","v2.16.105","v2.2.228","v2.3.200","v2.4.456","v2.5.207","v2.6.347","v2.7.570","v2.8.335","v2.9.359","v3.0.279","v3.1.81","v3.10.111","v3.11.174","v3.2.146","v3.3.122","v3.4.120","v3.5.141","v3.6.172","v3.7.107","v3.8.162","v3.9.179","v4.0.189","v4.0.269","v4.0.379","v4.1.392","vundefined"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"115.11.0"}]},{"events":[{"introduced":"0"},{"fixed":"126.0"}]},{"events":[{"introduced":"0"},{"fixed":"115.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"fixed":"7.10.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision11"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision12"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision13"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision14"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision15"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision16"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision17"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision18"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision19"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision20"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision21"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision22"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision23"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision24"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision25"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision26"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision27"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision28"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision29"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision30"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision31"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision32"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision33"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision34"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision35"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision36"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision37"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision38"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision39"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision40"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision41"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision42"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision43"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision44"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision8"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-revision9"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4367.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}