Plattform
nodejs
Komponente
jspdf
Behoben in
4.2.2
4.2.1
CVE-2026-31938 is a critical Cross-Site Scripting (XSS) vulnerability affecting the jspdf Node.js library. This vulnerability allows attackers to inject malicious HTML into the browser context when a generated PDF is opened, potentially leading to session hijacking or defacement. The vulnerability impacts versions prior to 4.2.1 and can be exploited by manipulating the options argument within the output function. A fix is available in version 4.2.1.
The vulnerability lies in the output function's handling of the options argument. Attackers can leverage this by crafting malicious values for options like pdfobjectnewwindow, pdfJsUrl, filename, and others within the options object. These values are then directly included in the generated HTML, which is subsequently rendered in the user's browser. This allows for the execution of arbitrary JavaScript code within the user's session, potentially leading to account takeover, data theft, or defacement of the application. The blast radius is significant, as any application utilizing jspdf to generate PDFs and expose them to user interaction is vulnerable. This is similar to other XSS vulnerabilities where user-supplied data is improperly handled before being rendered in a web page.
This vulnerability was publicly disclosed on 2026-03-17. The CVSS score is 9.6 (CRITICAL), indicating a high probability of exploitation. While no active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation and the widespread use of jspdf make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog.
Applications that utilize the jspdf library to generate PDFs are at risk, particularly those that accept user-provided data to customize the PDF content. This includes web applications, desktop applications, and any other software that integrates with jspdf. Shared hosting environments where multiple applications share the same Node.js environment are also at increased risk, as a vulnerability in one application could potentially compromise others.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Id, Path• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter "jspdf*" | Select-Object FullName• generic web:
Use curl or wget to check for endpoints that generate PDFs and attempt to inject HTML payloads into parameters related to PDF options. Examine the generated PDF file for signs of injected script.
disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to jspdf version 4.2.1 or later, which includes the necessary sanitization to prevent XSS injection. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious input in the options parameter of the output function. Specifically, look for JSON payloads containing potentially malicious HTML tags or JavaScript code. Input validation on the server-side, before passing data to jspdf, can also provide an additional layer of defense. After upgrading, confirm the fix by attempting to generate a PDF with a crafted payload containing <script>alert('XSS')</script> in the vulnerable options and verifying that the script does not execute in the browser.
Actualice la biblioteca jsPDF a la versión 4.2.1 o superior. Como alternativa, sanitice las entradas del usuario antes de pasarlas al método output para evitar la inyección de HTML.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31938 is a critical XSS vulnerability in the jspdf Node.js library, allowing attackers to inject malicious HTML into generated PDFs.
You are affected if you are using jspdf versions prior to 4.2.1 and your application allows user-controlled data to influence PDF generation options.
Upgrade to jspdf version 4.2.1 or later. If immediate upgrade is not possible, implement input validation and sanitization on PDF generation options.
No active exploitation campaigns have been reported, but public proof-of-concept exploits are likely to emerge.
Refer to the jspdf project's repository and related security advisories for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.