Vulners
Lucene search
📄 jsPDF PDF Object Injection
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | Security Bulletin: jsPDF addImage Method Vulnerable to DoS via Malicious Image Dimensions | 4 May 202612:26 | – | ibm |
| Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by multiple vulnerabilities in jsPDF (CVE-2026-25535, CVE-2026-25755, CVE-2026-25940) | 31 May 202613:40 | – | ibm |
 | CVE-2026-25755 vulnerabilities | 25 Feb 202601:17 | – | cgr |
 | CVE-2026-25755 | 19 Feb 202615:43 | – | circl |
 | jsPDF 安全漏洞 | 19 Feb 202600:00 | – | cnnvd |
 | CVE-2026-25755 | 19 Feb 202614:41 | – | cve |
 | CVE-2026-25755 jsPDF has PDF Object Injection via Unsanitized Input in addJS Method | 19 Feb 202614:41 | – | cvelist |
 | jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method | 19 Feb 202619:32 | – | github |
 | CVE-2026-25755 | 19 Feb 202615:16 | – | nvd |
 | CGA-VFRC-GXQ2-7X42 | 24 Feb 202618:45 | – | osv |
10
# CVE-2026-25755: PDF Object Injection in jsPDF (addJS Method)
## Description
A PDF Object Injection vulnerability was identified in the `addJS` method of `jsPDF`. The library fails to sanitize user-supplied input for the closing parenthesis character `)`, which acts as a delimiter for literal strings in the PDF specification. This allows an attacker to escape the JavaScript object context and inject arbitrary PDF dictionaries and actions.
## Root Cause Analysis
In `javascript.js`, the input `text` is concatenated directly into the PDF stream without escaping:
```javascript
// Vulnerable line in javascript.js
this.internal.out("/JS (" + text + ")");
```
By providing a payload like ) `>> /Action ...`, an attacker can prematurely close the /JS string and the surrounding dictionary, effectively gaining the ability to write raw PDF objects into the document structure.
### Impact Analysis
Unlike standard Cross-Site Scripting (XSS) or JS injection, PDF Object Injection bypasses the security sandboxes of the PDF JavaScript engine (AcroJS).
## Critical Risks:
`JS-Disabled Execution`: Malicious actions (e.g., /OpenAction) execute even if the user has disabled JavaScript in their PDF viewer.
`Document Structure Manipulation`: Ability to inject /Encrypt, /Signatures, or /Annots to alter document metadata or perform UI redressing/phishing attacks.
`Universal Payload Execution`: The injected objects are processed by lightweight viewers (mobile/embedded) that may lack JS support but strictly follow the PDF object hierarchy.
## Proof of Concept
The following payload escapes the JS context and injects an "Additional Action" that triggers an alert:
```JavaScript
import { jsPDF } from "jspdf";
const doc = new jsPDF();
// 1. ) closes the JS string.
// 2. >> closes the current dictionary.
// 3. /AA injects an Additional Action object.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
```
## Remediation
Upgrade `jsPDF` to version >= 4.1.0.
All user-supplied input in addJS and similar methods must escape parentheses ( ) and backslashes \ according to the PDF specification.
Researcher: ZeroXJacks
Severity: High (8.8)
"""Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Feb 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 3.18.1 - 8.8
EPSS0.00633
SSVC