A serious security flaw in jsPDF, a widely used JavaScript library for generating PDFs in web browsers, puts millions of developers and their users at risk.
CVE-2026-25755 allows attackers to perform PDF Object Injection through the library’s addJS method. This vulnerability affects countless web applications that rely on jsPDF to create dynamic PDF documents from user data.
It carries a CVSS score of 8.8, rated High severity. Attackers can craft malicious inputs that escape the intended JavaScript context and inject harmful PDF structures directly into generated files.
jsPDF powers features like invoice generation, report exports, and form submissions across e-commerce sites, dashboards, and enterprise tools.
jsPDF Flaw Exposes Millions of Developers
With over 1.5 million weekly downloads on npm, its popularity amplifies the threat. An attacker supplying tainted input, such as user comments or form fields, can trigger the flaw, producing PDFs that execute arbitrary actions when opened in any viewer.
The core issue lies in jsPDF’s javascript.js file. The addJS method directly concatenates user input into a PDF stream without proper sanitization. The vulnerable code reads: this.internal.out("/JS (" + text + ")");.
By including a closing parenthesis ) in the input, attackers prematurely end the JavaScript string. They then append PDF syntax >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >> to inject an “Additional Action” dictionary.
Unlike typical XSS attacks, this manipulates the PDF’s object hierarchy, bypassing JavaScript sandboxes in viewers like Adobe Acrobat.
JavaScript-Independent Execution: Malicious actions /OpenAction can still be triggered even when JavaScript is disabled in the victim’s PDF viewer.
Document Structure Tampering: Attackers can inject objects like /Encrypt, /Signatures, or /Annots to manipulate document metadata, alter security properties, or enable UI redressing and phishing attacks.
Cross-Viewer Payload Reliability: The injected objects are parsed and executed by lightweight or embedded PDF viewers that may not support JavaScript but strictly adhere to the PDF object hierarchy, allowing consistent payload execution across platforms.
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-25755 | 8.8 (High) | PDF Object Injection in jsPDF’s addJS method due to unsanitized input allowing escape of JS context and arbitrary PDF dictionary injection. |
A proof-of-concept demonstrates the danger. Developers import jsPDF, create a document, and pass a payload like "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>" to addJS.
According to this advisory, saving the PDF triggers an alert on open, proving remote code-like behavior via PDF actions.
| Affected Versions | Patched Versions |
|---|---|
| < 4.1.0 | >= 4.1.0 |
To fix this, upgrade jsPDF to version 4.1.0 or later immediately. The patch escapes parentheses () and backslashes per PDF specs in addJS and related methods.
Developers should rigorously validate all inputs to prevent untrusted data from being used in PDF generation. Scan dependencies with tools like npm audit or Snyk.
Test generated PDFs in multiple viewers for anomalies. Enterprises using jsPDF in production workflows must prioritize patches, as unpatched apps risk supply-chain-style attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
