Plataforma
nodejs
Componente
jspdf
Corrigido em
4.2.1
4.2.0
CVE-2026-25755 is a security vulnerability affecting the jspdf library, a JavaScript library for generating PDF documents. This vulnerability allows attackers to inject arbitrary PDF objects into generated documents through the addJS method, potentially leading to malicious actions or document manipulation. The vulnerability impacts versions of jspdf prior to 4.2.0, and a fix has been released in version 4.2.0.
The core of this vulnerability lies in the lack of proper sanitization of user-controlled input within the addJS method. Attackers can craft malicious payloads that escape the JavaScript string delimiter, allowing them to inject arbitrary PDF objects. This injection can be leveraged to execute actions within the PDF document, such as opening external URLs, displaying malicious content, or even modifying the document's structure. The impact extends to any user who opens the compromised PDF, regardless of their system or software. This is similar in concept to other PDF injection vulnerabilities where malicious code is embedded within a seemingly harmless document.
CVE-2026-25755 was publicly disclosed on 2026-02-19. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is available, demonstrating the feasibility of exploiting this vulnerability.
Applications that utilize the jspdf library to generate PDF documents are at risk, particularly those that allow users to control the content passed to the addJS method. This includes web applications, Node.js services, and any other environment where jspdf is used for PDF generation.
• nodejs / supply-chain:
npm list jspdf
# Check version, should be >= 4.2.0• generic web:
curl 'your-pdf-generation-endpoint' | grep -i 'console.log('test');)'
# Look for injected JavaScript in the PDF content.disclosure
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-25755 is to upgrade to jspdf version 4.2.0 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing input validation on the addJS method to prevent the injection of malicious characters. While not a complete solution, a Web Application Firewall (WAF) could be configured to inspect PDF generation requests for suspicious patterns. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual PDF object creation within your application could be a proactive measure. After upgrading, confirm the fix by attempting to generate a PDF with a known malicious payload and verifying that it is properly sanitized.
Actualice la biblioteca jsPDF a la versión 4.2.0 o superior. Como alternativa, escape los paréntesis en el código JavaScript proporcionado por el usuario antes de pasarlo al método `addJS`.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-25755 is a HIGH severity vulnerability in jspdf versions before 4.2.0 that allows attackers to inject malicious PDF objects via the addJS method, potentially executing actions or altering the document.
You are affected if you are using jspdf versions prior to 4.2.0 and allow user-controlled input to be passed to the addJS method.
Upgrade to jspdf version 4.2.0 or later. If immediate upgrade is not possible, implement input validation on the addJS method.
There is currently no indication of active exploitation campaigns targeting this vulnerability, but a PoC is available.
Refer to the jspdf project's repository or website for official advisories and updates related to CVE-2026-25755.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.