プラットフォーム
nodejs
コンポーネント
jspdf
修正版
4.2.2
4.2.1
CVE-2026-31938 is a critical Cross-Site Scripting (XSS) vulnerability affecting the jspdf Node.js library. This vulnerability allows attackers to inject malicious HTML into the browser context when a generated PDF is opened, potentially leading to session hijacking or defacement. The vulnerability impacts versions prior to 4.2.1 and can be exploited by manipulating the options argument within the output function. A fix is available in version 4.2.1.
The vulnerability stems from a lack of proper sanitization of user-controlled input within the options parameter of the output function. Specifically, the pdfobjectnewwindow, pdfjsnewwindow, and dataurlnewwindow options are vulnerable. An attacker can craft malicious values for pdfObjectUrl, pdfJsUrl, filename, or the entire options object (which is JSON-serialized) to inject arbitrary HTML, including JavaScript, into the PDF viewer's context. This injected script can then execute in the user's browser, allowing the attacker to steal cookies, redirect the user to a malicious website, or perform other actions on their behalf. The blast radius is significant, as any application using the vulnerable version of jspdf to generate PDFs could be exploited.
CVE-2026-31938 was publicly disclosed on 2026-03-17. No known active exploitation campaigns have been reported at the time of this writing. There are currently no entries on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and ease of exploitation.
Applications that utilize the jspdf library to generate PDFs are at risk, particularly those that accept user-provided data to customize the PDF content. This includes web applications, desktop applications, and any other software that integrates with jspdf. Shared hosting environments where multiple applications share the same Node.js environment are also at increased risk, as a vulnerability in one application could potentially compromise others.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Id, Path• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter "jspdf*" | Select-Object FullName• generic web:
Use curl or wget to check for endpoints that generate PDFs and attempt to inject HTML payloads into parameters related to PDF options. Examine the generated PDF file for signs of injected script.
disclosure
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to jspdf version 4.2.1 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the options parameter before passing it to the output function. While not a complete solution, this can reduce the attack surface. Additionally, consider using a Web Application Firewall (WAF) to filter out potentially malicious requests targeting the PDF generation endpoint. Monitor application logs for unusual activity or attempts to manipulate the PDF generation process. After upgrading, confirm the fix by attempting to generate a PDF with a crafted payload containing HTML tags and verifying that the tags are properly escaped or removed.
jsPDF ライブラリをバージョン 4.2.1 以降にアップデートしてください。代替案として、output メソッドに渡す前にユーザー入力をサニタイズして、HTML インジェクションを回避してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-31938 is a critical XSS vulnerability in the jspdf Node.js library, allowing attackers to inject malicious HTML into generated PDFs.
You are affected if you are using jspdf versions prior to 4.2.1 and your application allows user-controlled data to influence PDF generation options.
Upgrade to jspdf version 4.2.1 or later. If immediate upgrade is not possible, implement input validation and sanitization on PDF generation options.
No active exploitation campaigns have been reported, but public proof-of-concept exploits are likely to emerge.
Refer to the jspdf project's repository and related security advisories for the latest information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。