Skip to content

Patch for Stored XSS in PDF renderer #7928 #7966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2025
Merged

Patch for Stored XSS in PDF renderer #7928 #7966

merged 1 commit into from
May 16, 2025

Conversation

edoardottt
Copy link
Contributor

@edoardottt edoardottt commented May 16, 2025
edited by unknwon
Loading

Describe the pull request

This PR resolves a vulnerability present in gogs.

An old and vulnerable version of PDF.js was included (v1.4.20, vulnerable to CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js).
This PR substitues the old version with PDF.js v5.2.133.

Link to the issue: closes #7928

Checklist

  • I agree to follow the Code of Conduct by submitting this pull request.
  • I have read and acknowledge the Contributing guide.
  • I have added test cases to cover the new code or have provided the test plan.

Test plan

  1. Start a gogs local instance using the source (updated with this PR changes)
git clone https://github.com/edoardottt/gogs
cd gogs
git checkout fix-pdf-js-xss
sudo adduser --disabled-login --gecos 'Gogs' git
go build -o gogs
./gogs web
  1. Setup the local instance using SQLite3 (quickest way)
  2. Create a test user
  3. Create a test repository
  4. Upload the PoC PDF file
git clone http://localhost:3000/test/test.git
cd test/
cp ~/Downloads/poc_generalized_CVE-2024-4367.pdf .
git add .
git commit -m poc
git push
  1. Render the PDF

gogs-xss-pdf-js

Note

Notice that the PDF is rendered in the browser and no XSS vulnerability is present

@edoardottt edoardottt requested a review from unknwon as a code owner May 16, 2025 14:37
unknwon
unknwon approved these changes May 16, 2025
View reviewed changes
Copy link
Member

@unknwon unknwon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@unknwon unknwon added this to the 0.13.3 milestone May 16, 2025
@unknwon unknwon merged commit 4d6a0eb into gogs:main May 16, 2025
5 checks passed
unknwon pushed a commit that referenced this pull request Jun 8, 2025
@edoardottt @unknwon
security: patch for Stored XSS in PDF renderer (#7966)
110117b
@unknwon
Copy link
Member

unknwon commented Jun 9, 2025

The 0.13.3 has been released that includes this patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@unknwon unknwon unknwon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.13.3
Development

Successfully merging this pull request may close these issues.

Stored XSS in PDF renderer
2 participants
@edoardottt @unknwon