GHSA-9vjf-qc39-jprp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9vjf-qc39-jprp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9vjf-qc39-jprp/GHSA-9vjf-qc39-jprp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9vjf-qc39-jprp
- Aliases
- Published
- 2026-02-19T19:32:36Z
- Modified
- 2026-02-19T20:16:41.274168Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
- Details
-
Impact
User control of the argument of the
addJSmethod allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.import { jsPDF } from "jspdf"; const doc = new jsPDF(); // Payload: // 1. ) closes the JS string. // 2. > closes the current dictionary. // 3. /AA ... injects an "Additional Action" that executes on focus/open. const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>"; doc.addJS(maliciousPayload); doc.save("vulnerable.pdf");Patches
The vulnerability has been fixed in jspdf@4.2.0.
Workarounds
Escape parentheses in user-provided JavaScript code before passing them to the
addJSmethod.References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
- Database specific
{ "nvd_published_at": "2026-02-19T15:16:12Z", "github_reviewed_at": "2026-02-19T19:32:36Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-116", "CWE-94" ] }- References
-
- https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp
- https://nvd.nist.gov/vuln/detail/CVE-2026-25755
- https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437
- https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
- https://github.com/parallax/jsPDF
- https://github.com/parallax/jsPDF/releases/tag/v4.2.0
Affected packages
npm / jspdf
Package
- Name
- jspdf
- View open source insights on deps.dev
- Purl
- pkg:npm/jspdf