CVE-2026-25755
📋 TL;DR
This vulnerability in jsPDF allows attackers to inject arbitrary PDF objects into generated documents by controlling the argument of the `addJS` method. By escaping JavaScript string delimiters, attackers can execute malicious actions or alter document structure, affecting any user who opens the generated PDF. This impacts any application using vulnerable versions of jsPDF to generate PDFs from user-controlled input.
💻 Affected Systems
- jsPDF
📦 What is this software?
Jspdf by Parall
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of PDF viewer application, arbitrary code execution on user's system when opening malicious PDF, data exfiltration, or system takeover.
Likely Case
PDF document manipulation, injection of malicious content, potential cross-site scripting (XSS) in PDF viewers, or denial of service through malformed PDFs.
If Mitigated
Limited impact with proper input validation and escaping, potentially only minor document formatting issues.
🎯 Exploit Status
Exploitation requires user interaction to open the malicious PDF. The vulnerability is well-documented with public references and proof-of-concept details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0
Vendor Advisory: https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp
Restart Required: No
Instructions:
1. Update jsPDF to version 4.2.0 or later. 2. Run `npm update jspdf` or equivalent package manager command. 3. Test PDF generation functionality to ensure compatibility.
🔧 Temporary Workarounds
Input sanitization workaround
allEscape parentheses in user-provided JavaScript code before passing to the `addJS` method
// Before passing user input to addJS:
const sanitizedInput = userInput.replace(/\(/g, '\\(').replace(/\)/g, '\\)');
🧯 If You Can't Patch
- Disable or restrict use of the `addJS` method in applications
- Implement strict input validation and sanitization for all user-provided content passed to PDF generation functions
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules for jsPDF version. If version is <4.2.0 and application uses `addJS` method with user input, it's vulnerable.Check Version:
npm list jspdfVerify Fix Applied:
Verify jsPDF version is 4.2.0 or later. Test PDF generation with malicious input to ensure injection is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual PDF generation patterns
- Multiple failed PDF generation attempts
- Large or malformed JavaScript strings in PDF generation logs
Network Indicators:
- Unexpected PDF downloads containing JavaScript
- PDF files with embedded JavaScript from untrusted sources
SIEM Query:
source="application_logs" AND ("addJS" OR "jspdf") AND ("error" OR "malformed" OR "injection")