Critical jsPDF Vulnerability Exposes Millions to PDF Object Injection Attacks
A significant security flaw has been identified in the widely-used jsPDF library, potentially exposing millions of web developers and end-users to PDF Object Injection attacks. This vulnerability, designated as CVE-2026-25755, resides in the library’s `addJS` method, which is responsible for embedding JavaScript code into PDF documents.
Technical Details of the Vulnerability
The core issue stems from inadequate sanitization of user-supplied input within the `javascript.js` file of jsPDF. Specifically, the line of code:
“`javascript
this.internal.out(/JS ( + text + ));
“`
concatenates unsanitized input directly into the PDF stream. This approach fails to escape closing parentheses, which serve as string delimiters in the PDF specification. Consequently, an attacker can inject a payload such as `) >> /Action …`, prematurely terminating the `/JS` string and inserting arbitrary PDF structures. This manipulation grants the attacker full control over embedded objects within the PDF.
Potential Impacts
Unlike traditional JavaScript-based Cross-Site Scripting (XSS) attacks, this vulnerability allows for direct manipulation of PDF object hierarchies. This capability enables malicious actors to execute actions or modify document structures even when JavaScript execution is disabled in the PDF viewer. The critical impacts include:
– Execution Despite JavaScript Restrictions: Injected PDF actions, such as `/OpenAction`, can trigger automatically upon opening the document, effectively bypassing JavaScript restrictions.
– Document Manipulation: Attackers can inject, encrypt, or modify sections like `/Annots` or `/Signatures`, altering metadata, conducting phishing attacks, or changing the PDF’s appearance.
– Cross-Viewer Risk: Lightweight PDF viewers, particularly those on mobile or embedded systems, may execute injected actions due to strict adherence to PDF object parsing rules.
Proof of Concept and Discovery
Security researcher ZeroXJacks, who discovered the vulnerability, demonstrated a proof-of-concept where a crafted `addJS` payload triggers custom PDF actions upon opening the document. This demonstration underscores the significant risk for applications that dynamically generate PDFs from user input. The root cause of the vulnerability is the absence of proper input validation and escaping in accordance with the PDF specification.
Mitigation and Recommendations
Developers are strongly advised to update to jsPDF version 4.1.0 or later, where input is correctly sanitized by escaping parentheses and backslashes. Until the update is applied, it is crucial to avoid embedding untrusted or user-generated content using the `addJS` method or related functions. Implementing strict input validation on any client-side PDF creation workflow is essential to prevent exploitation of this vulnerability.
Conclusion
The discovery of CVE-2026-25755 in the jsPDF library highlights the importance of rigorous input validation and sanitization in software development. Given the widespread use of jsPDF in web applications, addressing this vulnerability promptly is critical to maintaining the security and integrity of PDF documents generated through this library.
