CVE-2026-25755
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
Description
### Impact User control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. ```js import { jsPDF } from "jspdf"; const doc = new jsPDF(); // Payload: // 1. ) closes the JS string. // 2. > closes the current dictionary. // 3. /AA ... injects an "Additional Action" that executes on focus/open. const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>"; doc.addJS(maliciousPayload); doc.save("vulnerable.pdf"); ``` ### Patches The vulnerability has been fixed in jspdf@4.2.0. ### Workarounds Escape parentheses in user-provided JavaScript code before passing them to the `addJS` method. ### References https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
How to fix CVE-2026-25755
To remediate CVE-2026-25755, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.0 or later
Is CVE-2026-25755 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |