Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-9vjf-qc39-jprp

Опубликовано: 19 фев. 2026
Источник: github
Github: Прошло ревью
CVSS3: 8.1

Описание

jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method

Impact

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

import { jsPDF } from "jspdf"; const doc = new jsPDF(); // Payload: // 1. ) closes the JS string. // 2. > closes the current dictionary. // 3. /AA ... injects an "Additional Action" that executes on focus/open. const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>"; doc.addJS(maliciousPayload); doc.save("vulnerable.pdf");

Patches

The vulnerability has been fixed in jspdf@4.2.0.

Workarounds

Escape parentheses in user-provided JavaScript code before passing them to the addJS method.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

Ссылки

Пакеты

Наименование

jspdf

npm
Затронутые версииВерсия исправления

< 4.2.0

4.2.0

EPSS

Процентиль: 4%
0.00016
Низкий

8.1 High

CVSS3

CVE ID

CVE-2026-25755

Дефекты

CWE-116
CWE-94

Связанные уязвимости

redhat логотип

CVE-2026-25755

CVSS3: 9.6
redhat
около 1 месяца назад

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

nvd логотип

CVE-2026-25755

CVSS3: 8.1
nvd
около 1 месяца назад

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

debian логотип

CVE-2026-25755

CVSS3: 8.1
debian
около 1 месяца назад

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, use ...

fstec логотип

BDU:2026-02102

CVSS3: 8.8
fstec
около 1 месяца назад

Уязвимость функции addJS() библиотеки для создания PDF-файлов jsPDF, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 4%
0.00016
Низкий

8.1 High

CVSS3

CVE ID

CVE-2026-25755

Дефекты

CWE-116
CWE-94