Platform
nodejs
Component
jspdf
Fixed in
4.2.2
4.2.1
CVE-2026-31938 is a critical Cross-Site Scripting (XSS) vulnerability affecting the jspdf Node.js library. This vulnerability allows attackers to inject malicious HTML into the browser context when a generated PDF is opened, potentially leading to session hijacking or defacement. The vulnerability impacts versions prior to 4.2.1 and can be exploited by manipulating the options argument within the output function. A fix is available in version 4.2.1.
The vulnerability stems from a lack of proper sanitization of user-controlled input within the options parameter of the output function. Specifically, the pdfobjectnewwindow, pdfjsnewwindow, and dataurlnewwindow options are vulnerable. An attacker can craft malicious values for pdfObjectUrl, pdfJsUrl, filename, or the entire options object (which is JSON-serialized) to inject arbitrary HTML, including JavaScript, into the PDF viewer's context. This injected script can then execute in the user's browser, allowing the attacker to steal cookies, redirect the user to a malicious website, or perform other actions on their behalf. The blast radius is significant, as any application using the vulnerable version of jspdf to generate PDFs could be exploited.
CVE-2026-31938 was publicly disclosed on 2026-03-17. No known active exploitation campaigns have been reported at the time of this writing. There are currently no entries on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and ease of exploitation.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation is to upgrade to jspdf version 4.2.1 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the options parameter before passing it to the output function. While not a complete solution, this can reduce the attack surface. Additionally, consider using a Web Application Firewall (WAF) to filter out potentially malicious requests targeting the PDF generation endpoint. Monitor application logs for unusual activity or attempts to manipulate the PDF generation process. After upgrading, confirm the fix by attempting to generate a PDF with a crafted payload containing HTML tags and verifying that the tags are properly escaped or removed.
Update the jsPDF library to version 4.2.1 or higher. Alternatively, sanitize user inputs before passing them to the output method to prevent HTML injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31938 is a critical XSS vulnerability in the jspdf Node.js library, allowing attackers to inject malicious HTML into generated PDFs.
You are affected if you are using jspdf versions prior to 4.2.1 and your application allows user-controlled data to influence PDF generation options.
Upgrade to jspdf version 4.2.1 or later. If immediate upgrade is not possible, implement input validation and sanitization on PDF generation options.
No active exploitation campaigns have been reported, but public proof-of-concept exploits are likely to emerge.
Refer to the jspdf project's repository and related security advisories for the latest information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.