CVE-2026-25755

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.0

Description jsPDF is a JavaScript library used to generate PDF documents. A flaw exists where user-controlled input to the addJS method allows an attacker to inject arbitrary PDF objects into generated documents. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure when a user opens the PDF. The addJS method is vulnerable because it lacks proper input sanitization, allowing attackers to break out of the intended JavaScript string context. This can lead to the execution of arbitrary JavaScript code within the PDF, potentially triggering actions like displaying alerts or manipulating the document content. The vulnerability can be exploited by injecting a malicious payload that closes the JavaScript string, closes the current dictionary, and then injects an "Additional Action" that executes when the PDF is focused or opened. The injected code can then perform actions such as displaying an alert message.

Recommendations Upgrade to jsPDF version 4.2.0 or later. As a temporary workaround, escape parentheses in user-provided JavaScript code before passing it to the addJS method.