SaltedHash
SaltedHashTech
Schedule a Meeting
Threat IntelligenceVulnerability Analysis

Millions of Developers Exposed: jsPDF Vulnerability Opens Door to Object Injection

Imdad, Cybersecurity Engineer
March 11, 2026
Millions of Developers Exposed: jsPDF Vulnerability Opens Door to Object Injection

The Scope of the Threat

jsPDF is one of the most widely adopted JavaScript libraries for generating PDF documents directly in the browser or on the server via Node.js. From invoices to reports to certificates, countless web applications rely on it every day. That's precisely why this vulnerability is so significant.

Tracked as CVE-2026-25755, the vulnerability affects the addJS method used to embed JavaScript code in PDF files.

Prior to version 4.2.0, user control of the argument in the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

Root Cause Analysis

In javascript.js, the input text is concatenated directly into the PDF stream without proper escaping.

Here is the vulnerable line in javascript.js:

JavaScript
this.internal.out("/JS (" + text + ")");

By providing a payload like ) >> /Action ..., an attacker can prematurely close the /JS string and the surrounding dictionary. This effectively grants the ability to write raw PDF objects directly into the document structure.

Unlike standard Cross-Site Scripting (XSS) or JS injection, PDF Object Injection completely bypasses the security sandboxes of the PDF JavaScript engine (AcroJS).

Critical Risks

  • JS-Disabled Execution: Malicious actions (e.g., /OpenAction) execute even if the user has disabled JavaScript in their PDF viewer.
  • Document Structure Manipulation: Attackers gain the ability to inject /Encrypt, /Signatures, or /Annots to alter document metadata or perform UI redressing and phishing attacks.
  • Universal Payload Execution: The injected objects are processed by lightweight viewers (mobile/embedded) that may lack JS support but strictly follow the PDF object hierarchy.

Proof of Concept

The following payload escapes the JS context and injects an "Additional Action" that triggers an alert:

JavaScript
import { jsPDF } from "jspdf";
const doc = new jsPDF();
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");

Payload Breakdown:

  • ) successfully closes the JS string.
  • >> closes the current dictionary.
  • /AA injects an Additional Action object into the document structure.

Remediation

The vulnerability has been patched in the latest release. Upgrading immediately to jsPDF version 4.2.0 or higher is the safest and most complete solution. Additionally, all user-supplied input in addJS and similar methods must escape parentheses () and backslashes \ according to the official PDF specification.

Back to Blogs