Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
jspdf: Malicious JavaScript Can Alter or Harm PDFs
CVE-2026-25755
GHSA-9vjf-qc39-jprp
Summary
The jspdf library allows attackers to inject malicious JavaScript into PDFs if user input is not sanitized. This could let attackers harm or alter documents opened by others. To fix, update to jspdf version 4.2.0 or escape any JavaScript code before adding it to a PDF with the addJS method.
What to do
- Update mrjameshall jspdf to version 4.2.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mrjameshall | jspdf | <= 4.2.0 | 4.2.0 |
| parall | jspdf | <= 4.2.0 | – |
Original title
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
Original description
### Impact
User control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.
```js
import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
```
### Patches
The vulnerability has been fixed in [email protected].
### Workarounds
Escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.
### References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
User control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.
```js
import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
```
### Patches
The vulnerability has been fixed in [email protected].
### Workarounds
Escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.
### References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
nvd CVSS3.1
8.8
Vulnerability type
CWE-94
Code Injection
CWE-116
- https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md Exploit Mitigation Third Party Advisory
- https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd543... Patch
- https://github.com/parallax/jsPDF/releases/tag/v4.2.0 Release Notes
- https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25755
- https://github.com/advisories/GHSA-9vjf-qc39-jprp
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026