Fluid Attacks Database

Description

jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method

Impact

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
...

Patches

The vulnerability has been fixed in [email protected].

Workarounds

Escape parentheses in user-provided JavaScript code before passing them to the addJS method.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jspdf	>=0 <4.2.0	4.2.0

Aliases

1. CVE-2026-257552. NVD-2026-257553. OSV-2026-257554. GHSA-9vjf-qc39-jprp5. GCVE-2026-25755

References

1. https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp2. https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd54373. https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md4. https://github.com/parallax/jsPDF/releases/tag/v4.2.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.