This viewer parses untrusted CAD packages in the browser. Parser code must treat every count, offset and compressed length as untrusted input.

Please report security issues through GitHub Security Advisories for flyfish-dev/dwf-viewer rather than opening a public issue with exploit details.