CVE-2026-25755 Overview
CVE-2026-25755 is a Code Injection vulnerability affecting jsPDF, a popular JavaScript library used to generate PDF documents. Prior to version 4.2.0, the addJS method fails to properly sanitize user-controlled input, allowing attackers to inject arbitrary PDF objects into generated documents. By crafting a malicious payload that escapes the JavaScript string delimiter (parentheses), an attacker can execute malicious actions or alter the document structure, potentially impacting any user who opens the generated PDF.
Critical Impact
Attackers can inject arbitrary PDF objects through unsanitized user input in the addJS method, potentially executing malicious JavaScript when victims open the compromised PDF documents.
Affected Products
- jsPDF versions prior to 4.2.0
- Applications utilizing jsPDF's addJS method with user-controlled input
- Web applications generating PDFs with embedded JavaScript functionality
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-25755 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-25755
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code, or Code Injection). The addJS method in jsPDF allows developers to embed JavaScript code within generated PDF documents. However, versions prior to 4.2.0 failed to properly escape special characters—specifically parentheses—in user-provided JavaScript strings before embedding them into the PDF structure.
PDF documents use parentheses as string delimiters in their object notation. When user input containing unescaped parentheses is passed to the addJS method, an attacker can break out of the intended JavaScript string context and inject arbitrary PDF objects or commands into the document structure.
Root Cause
The root cause lies in the missing input sanitization for parentheses characters within the addJS method. The vulnerable code directly embedded user-provided JavaScript into PDF stream objects without escaping the ( and ) characters that serve as string delimiters in PDF syntax. This allows attackers to terminate the intended string early and inject malicious PDF object content.
Attack Vector
The attack requires network access and user interaction—an attacker must convince a victim to open a maliciously crafted PDF generated through a vulnerable application. The attack chain involves:
- Attacker identifies an application using a vulnerable jsPDF version that passes user input to addJS
- Attacker crafts input containing parentheses designed to escape the PDF string context
- The application generates a PDF with injected malicious content
- When a victim opens the PDF, the injected code or objects execute
* @returns {jsPDF}
*/
jsPDFAPI.addJS = function(javascript) {
- // FIX: Move variables inside function scope to prevent shared state
- // between multiple jsPDF instances
var jsNamesObj;
var jsJsObj;
- var text = javascript;
+ // Escape only unescaped parentheses, without double-escaping already escaped ones
+ function escapeParens(str) {
+ let out = "";
+ for (let i = 0; i < str.length; i++) {
+ const ch = str[i];
+ if (ch === "(" || ch === ")") {
+ // Count preceding backslashes to determine if the paren is already escaped
+ let bs = 0;
+ for (let j = i - 1; j >= 0 && str[j] === "\\"; j--) {
+ bs++;
+ }
+ if (bs % 2 === 0) {
+ out += "\\" + ch;
+ } else {
+ out += ch;
+ }
+ } else {
+ out += ch;
+ }
+ }
+ return out;
+ }
Source: GitHub Commit Update
Detection Methods for CVE-2026-25755
Indicators of Compromise
- PDF documents containing unexpected or malicious JavaScript payloads
- Unusual PDF object structures with injected content following JavaScript strings
- Application logs showing suspicious parentheses sequences in addJS input parameters
- Generated PDFs triggering security warnings in PDF readers
Detection Strategies
- Implement static code analysis to identify jsPDF versions below 4.2.0 in application dependencies
- Monitor for user input containing escape sequences or parentheses patterns targeting PDF injection
- Deploy file integrity monitoring on PDF generation endpoints to detect anomalous output
- Use software composition analysis (SCA) tools to flag vulnerable jsPDF packages
Monitoring Recommendations
- Enable logging for all addJS method invocations with input parameter capture
- Monitor PDF generation services for unusual patterns in JavaScript embedding requests
- Implement Content Security Policy headers where applicable to restrict PDF JavaScript execution
- Review dependency manifests (package.json, package-lock.json) for jsPDF version compliance
How to Mitigate CVE-2026-25755
Immediate Actions Required
- Upgrade jsPDF to version 4.2.0 or later immediately
- Audit all code paths where user input may reach the addJS method
- Implement input validation to reject or sanitize parentheses in JavaScript strings
- Review recently generated PDFs for signs of object injection
Patch Information
The vulnerability has been fixed in jsPDF version 4.2.0. The patch introduces the escapeParens function that properly escapes parentheses characters in user-provided JavaScript code before embedding them into PDF objects. The fix intelligently handles already-escaped parentheses to avoid double-escaping.
For detailed patch information, see the GitHub Security Advisory GHSA-9vjf-qc39-jprp and the GitHub jsPDF Release v4.2.0.
Workarounds
- Escape parentheses in user-provided JavaScript code before passing to addJS method
- Implement server-side validation to strip or reject input containing ( or ) characters
- Disable JavaScript embedding functionality if not required for your use case
- Use Content Security Policy to restrict JavaScript execution in generated PDFs
# Configuration example
# Update jsPDF to patched version
npm update jspdf@4.2.0
# Or install specific patched version
npm install jspdf@4.2.0 --save
# Verify installed version
npm list jspdf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
