cve/2024/CVE-2024-4367.md

### [CVE-2024-4367](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4367)
![](https://img.shields.io/static/v1?label=Product&message=Firefox%20ESR&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Firefox&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Thunderbird&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20115.11%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20126%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20JavaScript%20execution%20in%20PDF.js&color=brighgreen)

### Description

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

### POC

#### Reference
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

#### Github
- https://github.com/0xr2r/CVE-2024-4367
- https://github.com/1337rokudenashi/Odoo_PDFjs_CVE-2024-4367.pdf
- https://github.com/AazafRitha/bug-bounty-reports
- https://github.com/BektiHandoyo/cve-pdf-host
- https://github.com/Bhavyakcwestern/Hacking-pdf.js-vulnerability
- https://github.com/GhostTroops/TOP
- https://github.com/J1ezds/Vulnerability-Wiki-page
- https://github.com/LOURC0D3/CVE-2024-4367-PoC
- https://github.com/Masamuneee/CVE-2024-4367-Analysis
- https://github.com/MihranGIT/POC_CVE-2024-4367
- https://github.com/PenguinCabinet/CVE-2024-4367-hands-on
- https://github.com/Scivous/CVE-2024-4367-npm
- https://github.com/Threekiii/Awesome-POC
- https://github.com/UnHackerEnCapital/PDFernetRemotelo
- https://github.com/VVeakee/CVE-2024-4367
- https://github.com/XiaomingX/awesome-poc-for-red-team
- https://github.com/Zombie-Kaiser/cve-2024-4367-PoC-fixed
- https://github.com/alecdhuse/Lantern-Shark
- https://github.com/avalahEE/pdfjs_disable_eval
- https://github.com/clarkio/pdfjs-vuln-demo
- https://github.com/elamani-drawing/CVE-2024-4367-POC-PDFJS
- https://github.com/exfil0/WEAPONIZING-CVE-2024-4367
- https://github.com/google/fishy-pdf
- https://github.com/hellomipl/mipl-pdf-viewer
- https://github.com/kabiri-labs/CVE-2024-4367-PoC
- https://github.com/klausnitzer/pentest-pdf-collection
- https://github.com/m0d0ri205/PDFJS
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/pS3ud0RAnD0m/cve-2024-4367-poc
- https://github.com/pedrochalegre7/CVE-2024-4367-pdf-sample
- https://github.com/plzheheplztrying/cve_monitor
- https://github.com/rjm521/hdfs-dashboard
- https://github.com/romanbelaire/notebook
- https://github.com/rzte/pdf-exploit
- https://github.com/s4vvysec/CVE-2024-4367-POC
- https://github.com/snyk-labs/pdfjs-vuln-demo
- https://github.com/spaceraccoon/detect-cve-2024-4367
- https://github.com/tanjiti/sec_profile
- https://github.com/zgimszhd61/openai-sec-test-cve-quickstart
- https://github.com/zulloper/cve-poc
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2024-4367](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4367)`
			`![](https://img.shields.io/static/v1?label=Product&message=Firefox%20ESR&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=Firefox&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=Thunderbird&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20115.11%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%20126%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20JavaScript%20execution%20in%20PDF.js&color=brighgreen)`

			`### Description`

			`A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.`

			`### POC`

			`#### Reference`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00
			`#### Github`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/0xr2r/CVE-2024-4367`
			`- https://github.com/1337rokudenashi/Odoo_PDFjs_CVE-2024-4367.pdf`
			`- https://github.com/AazafRitha/bug-bounty-reports`
			`- https://github.com/BektiHandoyo/cve-pdf-host`
			`- https://github.com/Bhavyakcwestern/Hacking-pdf.js-vulnerability`
Update CVE sources 2024-06-07 04:52 2024-06-07 04:52:01 +00:00			`- https://github.com/GhostTroops/TOP`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/J1ezds/Vulnerability-Wiki-page`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`- https://github.com/LOURC0D3/CVE-2024-4367-PoC`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/Masamuneee/CVE-2024-4367-Analysis`
			`- https://github.com/MihranGIT/POC_CVE-2024-4367`
			`- https://github.com/PenguinCabinet/CVE-2024-4367-hands-on`
			`- https://github.com/Scivous/CVE-2024-4367-npm`
Update Mon May 27 13:12:02 UTC 2024 2024-05-27 13:12:02 +00:00			`- https://github.com/Threekiii/Awesome-POC`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/UnHackerEnCapital/PDFernetRemotelo`
			`- https://github.com/VVeakee/CVE-2024-4367`
			`- https://github.com/XiaomingX/awesome-poc-for-red-team`
Update CVE sources 2024-08-10 19:04 2024-08-10 19:04:30 +00:00			`- https://github.com/Zombie-Kaiser/cve-2024-4367-PoC-fixed`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/alecdhuse/Lantern-Shark`
Update CVE sources 2024-05-28 00:32 2024-05-28 00:32:59 +00:00			`- https://github.com/avalahEE/pdfjs_disable_eval`
Update CVE sources 2024-06-08 09:32 2024-06-08 09:32:58 +00:00			`- https://github.com/clarkio/pdfjs-vuln-demo`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/elamani-drawing/CVE-2024-4367-POC-PDFJS`
			`- https://github.com/exfil0/WEAPONIZING-CVE-2024-4367`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`- https://github.com/google/fishy-pdf`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/hellomipl/mipl-pdf-viewer`
			`- https://github.com/kabiri-labs/CVE-2024-4367-PoC`
			`- https://github.com/klausnitzer/pentest-pdf-collection`
			`- https://github.com/m0d0ri205/PDFJS`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`- https://github.com/nomi-sec/PoC-in-GitHub`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/pS3ud0RAnD0m/cve-2024-4367-poc`
			`- https://github.com/pedrochalegre7/CVE-2024-4367-pdf-sample`
			`- https://github.com/plzheheplztrying/cve_monitor`
			`- https://github.com/rjm521/hdfs-dashboard`
			`- https://github.com/romanbelaire/notebook`
			`- https://github.com/rzte/pdf-exploit`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`- https://github.com/s4vvysec/CVE-2024-4367-POC`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/snyk-labs/pdfjs-vuln-demo`
Update Sun May 26 16:36:09 UTC 2024 2024-05-26 16:36:09 +00:00			`- https://github.com/spaceraccoon/detect-cve-2024-4367`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`- https://github.com/tanjiti/sec_profile`
Update CVE sources 2024-06-08 09:32 2024-06-08 09:32:58 +00:00			`- https://github.com/zgimszhd61/openai-sec-test-cve-quickstart`
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`- https://github.com/zulloper/cve-poc`
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00