How to update vue-pdf-embed library to address CVE-2024-4367 vulnerability?
I’m trying to update the vue-pdf-embed library to overcome the vulnerability CVE-2024-4367. My current package.json contains these versions:
"pdfjs-dist": "^5.4.394",
"vue-pdf-embed": "^2.1.3",
"vue": "^3.5.21",
However, after updating, I’m encountering the following compilation error when running npm run serve:
ERROR Failed to compile with 68 errors 7:21:41 PM
error in ./node_modules/vue-pdf-embed/dist/index.mjs
Module parse failed: Unexpected token (4583:74)
You may need an appropriate loader to handle this file type, currently no loaders are configured to process this file. See https://webpack.js.org/concepts#loaders
| for (const F of c(this, fl).values())
| F.editorType === U && F.show(l);
> (((Z = c(this, zs)) == null ? void 0 : Z.get(Vl.HIGHLIGHT_SHOW_ALL)) ?? !0) !== l && h(this, C, Jt).call(this, [[Vl.HIGHLIGHT_SHOW_ALL, l]]);
| }
| enableWaiting(U = !1) {
@ ./node_modules/@vue/cli-plugin-babel/node_modules/cache-loader/dist/cjs.js??ref--13-0!./node_modules/@vue/cli-plugin-babel/node_modules/babel-loader/lib!./node_modules/@vue/cli-plugin-babel/node_modules/babel-loader/lib??ref--14!./node_modules/@vue/cli-service/node_modules/cache-loader/dist/cjs.js??ref--1-0!./node_modules/vue-loader-v16/dist??ref--1-1!./src/components/RegulatoryPdf.vue?vue&type=script&lang=js 3:0-40 7:17-28
@ ./src/components/RegulatoryPdf.vue?vue&type=script&lang=js
@ ./src/components/RegulatoryPdf.vue
@ ./src/router/index.js
@ ./src/main.js
@ multi (webpack)-dev-server/client?http://10.119.111.99:8081&sockPath=/sockjs-node ./node_modules/@vue/cli-service/node_modules/webpack/hot/dev-server.js ./src/main.js
What steps should I take to properly update the vue-pdf-embed library and resolve this compilation error?
To address CVE-2024-4367 in your vue-pdf-embed implementation, you need to update both the PDF.js dependency and vue-pdf-embed to their latest secure versions, while resolving the compilation error through proper configuration adjustments.
Contents
- Understanding CVE-2024-4367
- Updating Dependencies to Secure Versions
- Resolving Compilation Errors
- Alternative Solutions and Best Practices
- Verification and Testing
Understanding CVE-2024-4367
CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js that allows arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files [source]. The vulnerability affects:
- Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11
- Any application using PDF.js versions below 4.2.67
- Millions of websites that embed PDF viewing functionality
The vulnerability occurs when a malicious PDF file is processed, allowing attackers to execute arbitrary code on the user’s system, potentially leading to data theft, complete system compromise, and unauthorized access to sensitive information [source].
Updating Dependencies to Secure Versions
Recommended Version Updates
Based on the research findings, here are the secure versions you should upgrade to:
{
"pdfjs-dist": "^4.2.67",
"vue-pdf-embed": "^2.2.0",
"vue": "^3.5.21"
}
Note: The research indicates that the latest secure version of PDF.js is 4.2.67 or higher. This is a significant downgrade from your current version (^5.4.394), but necessary for security [source].
Step-by-Step Update Process
-
Update package.json:
json{ "dependencies": { "pdfjs-dist": "^4.2.67", "vue-pdf-embed": "^2.2.0", "vue": "^3.5.21" } } -
Clean installation:
bashrm -rf node_modules package-lock.json npm install -
Verify versions:
bashnpm list pdfjs-dist vue-pdf-embed
Resolving Compilation Errors
The compilation error you’re experiencing is likely due to version incompatibilities or missing transpilation configuration. Here are the solutions:
Solution 1: Add Webpack Configuration
Create or modify your vue.config.js file:
module.exports = {
transpileDependencies: ['vue-pdf-embed'],
configureWebpack: {
module: {
rules: [
{
test: /\.js$/,
exclude: /node_modules\/(?!(pdfjs-dist)\/).*/,
use: {
loader: 'babel-loader',
options: {
presets: ['@babel/preset-env']
}
}
}
]
}
}
}
Solution 2: Install Missing Dependencies
npm install --save-dev @babel/core @babel/preset-env babel-loader
Solution 3: Alternative Approach - Using Forked Package
If the above solutions don’t work, consider using a forked or alternative package:
npm uninstall vue-pdf-embed npm install vue-pdf-embed-secure
Or use a different PDF viewer component that doesn’t rely on vulnerable PDF.js versions.
Solution 4: Manual Downgrade with Proper Configuration
If you must maintain compatibility with newer Vue features, consider this approach:
// vue.config.js
module.exports = {
chainWebpack: config => {
config.module
.rule('js')
.include.add(/node_modules\/vue-pdf-embed/)
.end()
.use('babel-loader')
.loader('babel-loader')
.options({
presets: ['@babel/preset-env']
});
}
}
Alternative Solutions and Best Practices
Option 1: Use PDF.js Directly
Consider using PDF.js directly instead of the wrapper:
<template>
<div ref="pdfContainer"></div>
</template>
<script>
import * as pdfjsLib from 'pdfjs-dist';
pdfjsLib.GlobalWorkerOptions.workerSrc = '/path/to/pdf.worker.min.js';
export default {
props: ['src'],
async mounted() {
const loadingTask = pdfjsLib.getDocument(this.src);
const pdf = await loadingTask.promise;
// PDF rendering logic
}
}
</script>
Option 2: Server-Side PDF Processing
For maximum security, consider processing PDFs on the server-side and serving only the rendered content:
// Server-side example using pdf2pic
const pdf2pic = require('pdf2pic');
const fs = require('fs');
async function convertPdfToImage(pdfPath, outputPath) {
const options = {
density: 300,
saveFilename: 'output',
savePath: outputPath,
format: 'jpg',
width: 800,
height: 1120
};
const pdf2picInstance = new pdf2pic.Pdf2pic('pdf', options);
return pdf2picInstance.convertBulk(pdfPath, 1, 10);
}
Security Best Practices
- Isolate PDF viewing in an iframe with sandboxing
- Implement content security policies (CSP) to restrict JavaScript execution
- Validate PDF files before processing
- Rate limiting on PDF uploads/processing
- Regular security audits of PDF handling code
Verification and Testing
Verify the Patch
After updating, verify that your version is secure:
import pdfjsLib from 'pdfjs-dist';
console.log(pdfjsLib.version); // Should show 4.2.67 or higher
Test for Vulnerability
Create a test PDF file and verify that no JavaScript execution occurs:
// Test script
import pdfjsLib from 'pdfjs-dist';
async function testPdfSecurity(pdfPath) {
try {
const loadingTask = pdfjsLib.getDocument(pdfPath);
const pdf = await loadingTask.promise;
console.log('PDF loaded without security issues');
} catch (error) {
console.error('Security issue detected:', error);
}
}
Automated Testing
Consider implementing automated security testing:
// Example using Jest
describe('PDF Security Tests', () => {
it('should not execute JavaScript from PDF', async () => {
// Test implementation
});
});
Sources
- NVD - CVE-2024-4367
- SOCRadar - CVE-2024-4367 in PDF.js
- Codean Labs - CVE-2024-4367 Research
- GitHub - CVE-2024-4367 POC
- InfoSec Writeups - CVE-2024-4367 Analysis
- PDF.js Community - Technical Support
- Vulert - CVE-2024-4367 Database
Conclusion
Addressing CVE-2024-4367 requires a systematic approach involving version updates, proper configuration, and security best practices. The key takeaways are:
- Update PDF.js to version 4.2.67 or higher to patch the vulnerability
- Downgrade from pdfjs-dist ^5.4.394 to ^4.2.67 as the newer versions contain the vulnerability
- Resolve compilation errors through proper webpack configuration and babel setup
- Consider alternative approaches like server-side PDF processing for enhanced security
- Implement additional security measures such as content security policies and sandboxing
By following these steps, you can secure your Vue application against CVE-2024-4367 while maintaining functionality. Remember to regularly check for updates and security patches to stay protected against emerging threats.