A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
CVE-2024-4367
This high-severity CVE scores 8.8 under NVD CVSS v3. EPSS exploit probability: 38.3%, top 3% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High exploitation likelihood — EPSS 73%
A fix is available — apply it.
- CVSS v3
- 8.8
- EG Score
- 8.8(medium)
- EPSS
- 99.4%
- KEV
- Not listed
Published
May 14, 2024
Last Modified
May 12, 2026
Advisory Details (9)
Auto-updated May 12, 2026Stored XSS in PDF renderer · Issue #7928 · gogs/gogs · GitHub
https://github.com/gogs/gogs/issues/7928CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/1893645 - (CVE-2024-4367) Arbitrary Javascript injection in PDF.js through FontMatrix
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645Full Disclosure: OXAS-ADV-2024-0004: OX App Suite Security Advisory
http://seclists.org/fulldisclosure/2024/Aug/30Security Vulnerabilities fixed in Thunderbird 115.11 — Mozilla
https://www.mozilla.org/security/advisories/mfsa2024-23/Security Vulnerabilities fixed in Firefox ESR 115.11 — Mozilla
https://www.mozilla.org/security/advisories/mfsa2024-22/Security Vulnerabilities fixed in Firefox 126 — Mozilla
https://www.mozilla.org/security/advisories/mfsa2024-21/[SECURITY] [DLA 3817-1] thunderbird security update
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html[SECURITY] [DLA 3815-1] firefox-esr security update
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.htmlVendor Advisories for CVE-2024-4367(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(20)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
npm(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| pdfjs-dist | — | 4.2.67 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
All Vendor Advisories
(20)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
- Red HatRHSA-2024:2881IMPORTANT2024-05-14
RHSA-2024:2881 — Important
- Red HatRHSA-2024:2882IMPORTANT2024-05-14
RHSA-2024:2882 — Important
- Red HatRHSA-2024:2883IMPORTANT2024-05-14
RHSA-2024:2883 — Important
- Red HatRHSA-2024:2884IMPORTANT2024-05-14
RHSA-2024:2884 — Important
- Red HatRHSA-2024:2885IMPORTANT2024-05-14
RHSA-2024:2885 — Important
- Red HatRHSA-2024:2886IMPORTANT2024-05-14
RHSA-2024:2886 — Important
- Red HatRHSA-2024:2887IMPORTANT2024-05-14
RHSA-2024:2887 — Important
- Red HatRHSA-2024:2888IMPORTANT2024-05-14
RHSA-2024:2888 — Important
- Red HatRHSA-2024:2903IMPORTANT2024-05-14
RHSA-2024:2903 — Important
- Red HatRHSA-2024:2904IMPORTANT2024-05-14
RHSA-2024:2904 — Important
- Red HatRHSA-2024:2905IMPORTANT2024-05-14
RHSA-2024:2905 — Important
- Red HatRHSA-2024:2906IMPORTANT2024-05-14
RHSA-2024:2906 — Important
- Red HatRHSA-2024:2911IMPORTANT2024-05-14
RHSA-2024:2911 — Important
- Red HatRHSA-2024:2912IMPORTANT2024-05-14
RHSA-2024:2912 — Important
- Red HatRHSA-2024:2913IMPORTANT2024-05-14
RHSA-2024:2913 — Important
- Red HatRHSA-2024:3338IMPORTANT2024-05-14
RHSA-2024:3338 — Important
- Red HatRHSA-2024:3783IMPORTANT2024-05-14
RHSA-2024:3783 — Important
- Red HatRHSA-2024:3784IMPORTANT2024-05-14
RHSA-2024:3784 — Important
- UbuntuUSN-6779-1MEDIUM
Firefox vulnerabilities
- UbuntuUSN-6782-1MEDIUM
Thunderbird vulnerabilities
Data Freshness Timeline
(refreshed 3× in last 7d / 34× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-05 02:29 UTCEPSS rescore
- 2026-07-04 06:30 UTCEPSS rescore
- 2026-07-01 15:05 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
- 2026-06-22 12:56 UTCOSV refresh
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 17:52 UTCEPSS rescore
- 2026-06-17 17:52 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-15 17:47 UTCEPSS rescore
- 2026-06-14 23:17 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
Show 54 moreShow fewer
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 13:21 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 19:39 UTCOSV refresh
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-23 00:10 UTCEG score recompute
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 01:57 UTCEG score recompute
- 2026-05-22 01:57 UTCVendor advisory
- 2026-05-21 22:42 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoC1337rokudenashi/Odoo_PDFjs_CVE-2024-4367.pdfFirst seen Aug 25, 2025
Odoo ≤17 is vulnerable to CVE-2024-4367, allowing arbitrary JavaScript execution via PDF.js.
Open source ↗ - Exploit-DBEDB-52273First seen Apr 22, 2025
Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution
Open source ↗ - GitHub PoCexfil0/WEAPONIZING-CVE-2024-4367First seen Jan 5, 2025
CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js, allowing arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files.
Open source ↗ - Open source ↗GitHub PoCMasamuneee/CVE-2024-4367-AnalysisFirst seen Sep 4, 2024
- GitHub PoCUnHackerEnCapital/PDFernetRemoteloFirst seen Jun 19, 2024
PoC - Prueba de Concepto de CVE-2024-4367 en conjunto al CVE-2023-38831 en un solo Script
Open source ↗ - GitHub PoCsnyk-labs/pdfjs-vuln-demoFirst seen Jun 17, 2024
This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367
Open source ↗ - GitHub PoCZombie-Kaiser/cve-2024-4367-PoC-fixedFirst seen Jun 13, 2024
PDF.js是由Mozilla维护的基于JavaScript的PDF查看器。此漏洞允许攻击者在打开恶意 PDF 文件后立即执行任意 JavaScript 代码。这会影响所有 Firefox 用户 (<126),因为 Firefox 使用 PDF.js 来显示 PDF 文件,但也严重影响了许多基于 Web 和 Electron 的应用程序,这些应用程序(间接)使用 PDF.js 进行预览功能。
Open source ↗ - GitHub PoCspaceraccoon/detect-cve-2024-4367First seen May 22, 2024
YARA detection rule for CVE-2024-4367 arbitrary javascript execution in PDF.js
Open source ↗ - GitHub PoCclarkio/pdfjs-vuln-demoFirst seen May 22, 2024
This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367
Open source ↗ - GitHub PoCLOURC0D3/CVE-2024-4367-PoCFirst seen May 20, 2024
CVE-2024-4367 & CVE-2024-34342 Proof of Concept
Open source ↗
Frequently asked(5)
What is CVE-2024-4367?
When was CVE-2024-4367 disclosed?
Is CVE-2024-4367 actively exploited?
What is the CVSS score of CVE-2024-4367?
How do I remediate CVE-2024-4367?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2024-4367
Is Your Infrastructure Affected by CVE-2024-4367?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.