High severity8.8NVD Advisory· Published May 14, 2024· Updated May 12, 2026
CVE-2024-4367
CVE-2024-4367
Description
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pdfjs-distnpm | < 4.2.67 | 4.2.67 |
Affected products
86cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 3 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <126.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.11.0
- (no CPE)range: unspecified
- (no CPE)range: unspecified
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <115.11.0
- (no CPE)range: unspecified
cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:*:*:*:*:*:*:*:*+ 43 more
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:*:*:*:*:*:*:*:*range: <7.10.6
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:-:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision10:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision11:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision12:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision13:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision14:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision15:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision16:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision17:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision18:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision19:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision20:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision21:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision22:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision23:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision24:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision25:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision26:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision27:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision28:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision29:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision3:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision30:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision31:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision32:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision33:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision34:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision35:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision36:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision37:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision38:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision39:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision4:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision40:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision41:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision42:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision43:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision44:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision5:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision6:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision7:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision8:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite_frontend:7.10.6:revision9:*:*:*:*:*:*
- osv-coords35 versionspkg:apk/chainguard/firefox-esrpkg:apk/chainguard/kibana-8pkg:apk/chainguard/kibana-8-bitnamipkg:apk/chainguard/kibana-8-iamguardedpkg:npm/pdfjs-distpkg:rpm/almalinux/firefoxpkg:rpm/almalinux/firefox-x11pkg:rpm/almalinux/thunderbirdpkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6
< 115.11.0-r0+ 34 more
- (no CPE)range: < 115.11.0-r0
- (no CPE)range: < 8.16.1-r0
- (no CPE)range: < 8.16.1-r0
- (no CPE)range: < 8.16.1-r0
- (no CPE)range: < 4.2.67
- (no CPE)range: < 115.11.0-1.el9_4.alma.1
- (no CPE)range: < 115.11.0-1.el9_4.alma.1
- (no CPE)range: < 115.11.0-1.el9_4.alma.1
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 126.0-1.1
- (no CPE)range: < 115.11.0-150200.8.160.1
- (no CPE)range: < 115.11.0-150200.8.160.1
- (no CPE)range: < 115.11.0-1.1
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-112.212.1
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-112.212.1
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-150200.152.137.2
- (no CPE)range: < 115.11.0-112.212.1
- (no CPE)range: < 115.11.0-150200.8.160.1
- (no CPE)range: < 115.11.0-150200.8.160.1
- (no CPE)range: < 115.11.0-150200.8.160.1
- (no CPE)range: < 115.11.0-150200.8.160.1
Patches
Vulnerability mechanics
References
21- github.com/advisories/GHSA-wgrm-67xf-hhpqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-4367ghsaADVISORY
- www.mozilla.org/security/advisories/mfsa2024-21/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2024-22/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2024-23/nvdVendor Advisory
- seclists.org/fulldisclosure/2024/Aug/30nvdMailing ListWEB
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingWEB
- cert-portal.siemens.com/productcert/html/ssa-827383.htmlnvdWEB
- codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-jsghsaWEB
- github.com/gogs/gogs/issues/7928nvdWEB
- github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6ghsaWEB
- github.com/mozilla/pdf.js/pull/18015ghsaWEB
- github.com/mozilla/pdf.js/releases/tag/v4.2.67nvdWEB
- github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpqghsaWEB
- lists.debian.org/debian-lts-announce/2024/05/msg00010.htmlnvdMailing ListWEB
- lists.debian.org/debian-lts-announce/2024/05/msg00012.htmlnvdMailing ListWEB
- www.exploit-db.com/exploits/52273nvdWEB
- www.mozilla.org/security/advisories/mfsa2024-21ghsaWEB
- www.mozilla.org/security/advisories/mfsa2024-22ghsaWEB
- www.mozilla.org/security/advisories/mfsa2024-23ghsaWEB
- codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/nvd
News mentions
4- Top 10 web hacking techniques of 2024PortSwigger Research · Feb 4, 2025
- Top 10 web hacking techniques of 2024: nominations openPortSwigger Research · Jan 8, 2025
- GitLab Patch Release: 17.0.1, 16.11.3, 16.10.6GitLab Security Releases · May 22, 2024
- Siemens TeamcenterCISA ICS Advisories