GHSA-vm32-vv63-w422

Source

https://github.com/advisories/GHSA-vm32-vv63-w422

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-vm32-vv63-w422/GHSA-vm32-vv63-w422.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vm32-vv63-w422

Aliases

CVE-2026-24043

Related

CGA-gj63-xvhj-4cm3

Published

2026-02-02T18:28:29Z

Modified

2026-02-11T01:29:12.453725Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator

Summary

jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)

Details

Impact

User control of the first argument of the addMetadata function allows users to inject arbitrary XML.

If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed.

Example attack vector:

import { jsPDF } from "jspdf"

const doc = new jsPDF()

// Input a string that closes the current XML tag and opens a new one.
// We are injecting a fake "dc:creator" (Author) to spoof the document source.
const maliciousInput = '</jspdf:metadata></rdf:Description>' +
    '&lt;rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' +
    '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity
    '</rdf:Description>' +
    '<rdf:Description><jspdf:metadata>'

// The application innocently adds the user's input to the metadata
doc.addMetadata(maliciousInput, "http://valid.namespace")

doc.save("test.pdf")

Patches

The vulnerability has been fixed in jsPDF@4.1.0

Workarounds

Sanitize user input before passing it to the addMetadata method: escape XML entities. For example:

let input = "..."

input = input
    .replace(/&/g, "&amp;")
    .replace(/&lt;/g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&apos;")

doc.addMetadata(input)

Database specific

{
    "nvd_published_at": "2026-02-02T23:16:07Z",
    "github_reviewed_at": "2026-02-02T18:28:29Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-20",
        "CWE-74"
    ]
}

References

Affected packages

npm / jspdf

Package

Name: jspdf; View open source insights on deps.dev
Purl: pkg:npm/jspdf

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.0

Database specific

last_known_affected_version_range

"<= 4.0.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-vm32-vv63-w422/GHSA-vm32-vv63-w422.json"