21 high severity vulnerabilities

[Aaryan121]

Recently, when integrating a new package into my project, I encountered security vulnerabilities with react-pdf-viewer/core. Despite attempting to resolve them using npm audit fix, the issue persists. Any idea on how can i fix this ?

[sschimmel]

Same here. NPM audit is reporting a vulnerability in pdfjs-dist v3 and we need to upgrade to V4. However react-pdf-viewer doesn't seem to be compatible with it. When is react-pdf-core going to be upgraded to support v4 of PDFjs?

[agforero]

Bumping this as well. There is a High vulnerability with pdfjs-dist v3. If react-pdf-viewer could upgrade to pdfjs-dist v4 ASAP it would be much appreciated.

[mike-franz]

Adding in as well. https://www.tenable.com/cve/CVE-2024-4367 in particular is being flagged by our Synk monitoring.

[dyu-paa]

Just mentioning that #1711 and #1659 were done but v4 of react-pdf-view hasn't been released.

[agforero]

Bumping again -- when could we expect a release that addresses the vulnerability?

[kdv24]

Any information at all would be helpful, @phuocng. And, as many have mentioned, there are a number of us that would be happy to help out on getting a stable release out. Thanks.

[dxdbno]

Any information at all would be helpful, @phuocng. And, as many have mentioned, there are a number of us that would be happy to help out on getting a stable release out. Thanks.

I think this project is abandoned and not sure if the owner still is present.

[vinceAmstoutz]

Any information at all would be helpful, @phuocng. And, as many have mentioned, there are a number of us that would be happy to help out on getting a stable release out. Thanks.

I think this project is abandoned and not sure if the owner still is present.

Maybe we will consider a fork or something like that

[adrianmxb]

I would support a fork as well, but sadly with the projects LICENSE, this is also not really an option.

[agforero]

@adrianmxb if we've purchased a license, wouldn't that enable us to use a fork where we patch the security vulnerability? The license is worthless otherwise as we'd have to remove the application from our stack, assuming the project is abandoned.

According to react-pdf-viewer's license:

You are allowed to:

• You may create an End Product for a client.
• You may sell, license, sub-license or distributed and make any number of copies of the End Product.
• You may modify or manipulate the Item. You may combine the Item with other works and make a derivative work from it. The resulting works are subject to the terms of this license.
• This is a "multi-use" license, which means you may use an Item multiple times, in multiple projects.

[vicent4no]

@agforero

You are NOT allowed to:

• You can't re-distribute the Item as stock, in a tool or template, or with source files. You can't do this with an Item either on its own or bundled with other items, and even if you modify the Item.
• You can't re-distribute or make available the Item as-is or with superficial modifications.
• You must not permit an end user of the End Product to extract the Item and use it separately from the End Product.
• The End Product can't be used in a product offered for sale where the item contributes to the core value of the product being sold. For example, convert a purchased product to a template or theme for sale on your website or marketplaces like ThemeForest, Creative Market, etc.

[agforero]

@vicent4no I am not a lawyer, and this is not legal advice, but I believe re-distribute refers to copying the repository and re-selling it to people for profit, modified or not. This repository is public in any case; if you use react-pdf-viewer or any modified derivative you are still subject to its original license.

At present, there are 206 forks of this repository. I believe it would be fine if someone forked it and patched the security vulnerability in question.

[fmigot]

Hello guys,
I'm facing the same issue here. This vulnerability on previous versions of 4.2.67 for pdfjs-dist is a big issue for us :/
I hope that @phuocng will come soon to us with a new version! 🙇

[dyu-paa]

Has anyone tried the transformGetDocumentParams function?

<Viewer fileUrl={url} transformGetDocumentParams={options => Object.assign({}, options, { isEvalSupported: false, }) } />

[jkgenser]

Has anyone tried the transformGetDocumentParams function?

<Viewer fileUrl={url} transformGetDocumentParams={options => Object.assign({}, options, { isEvalSupported: false, }) } />

Yes, this works as advertised. it is the correct mitigation to the vulnerability referenced here. #1752 (comment)

[FabianFrank]

@phuocng is this project still maintained?

[fmigot]

Has anyone tried the transformGetDocumentParams function?
<Viewer fileUrl={url} transformGetDocumentParams={options => Object.assign({}, options, { isEvalSupported: false, }) } />

Yes, this works as advertised. it is the correct mitigation to the vulnerability referenced here. #1752 (comment)

Awesome, I saw the detail of the workaround and I tried to set it right in the Document base object of pdfjs but it did not work as expected. I did not see that param of <Viewer /> and it's perfect for the purpose of the workaround, works like a charm (but yes it's still a workaround). Thank you @jkgenser!