Web applications generating PDFs with jsPDF face jsPDF object injection risks from CVE-2026-25755 in versions before 4.1.0. Remote attackers exploit untrusted inputs to embed malicious objects, altering documents opened in any viewer. Impacts span metadata changes to automatic action triggers, threatening integrity across client environments.
jsPDF Object Injection Mechanics
The flaw originates in javascript.js where addJS concatenates raw input into PDF streams without escaping delimiters like closing parentheses. Attackers terminate strings early to inject structures such as actions or annotations. This persists even in JS-disabled viewers due to PDF spec compliance in parsers.
Lightweight mobile readers amplify exposure through lax controls.
CVE-2026-25755 Details
The table below lists the jsPDF object injection vulnerability.
| CVE Identifier | Vulnerability Description | CVSS Score |
|---|---|---|
| CVE-2026-25755 | PDF Object Injection in jsPDF’s addJS method allows arbitrary object injection and action execution in generated PDFs. | 8.8 |
This table summarizes the core flaw reported by researcher ZeroXJacks.
Dynamic PDF apps processing user content risk full document compromise. Injected /OpenAction executes on load, evading sandboxing. /Annots alterations enable phishing overlays; /Signatures forge authenticity.
Cross-Viewer Execution Risks
PDF parsers universally process object hierarchies before JS, ensuring injected payloads activate regardless of viewer settings. Embedded viewers in browsers or apps inherit host risks, propagating manipulations to end-users. Confidentiality erodes via metadata exfiltration; availability drops during remediation scans.
Server-side generation magnifies reach if outputs distribute widely.
Document Manipulation Vectors
Attackers embed encryption bypassing viewer prompts or modify appearances for fraud. Arbitrary objects persist post-generation, surviving sanitization attempts on JS alone. Operational workflows halt when integrity checks fail on tainted files.
jsPDF object injection demands input validation layers.
Remediation and Best Practices
Update to jsPDF 4.1.0+ sanitizes parentheses/backslashes in streams. Interim measures reject untrusted addJS calls, validating inputs against PDF spec delimiters. Client-side workflows audit dynamic content; avoid embedding external data without whitelisting.
Patch rollout restores generation pipelines without refactoring.
jsPDF CVE-2026-25755 exposes PDF pipelines to structure hijacks.
jsPDF object injection CVE-2026-25755 undermines generated document integrity, enabling unauthorized actions in JS-disabled contexts. jsPDF 4.1.0 patches input handling per advisories, with validation preserving availability. Affected deployments prioritize upgrades to counter evasion across viewers.
No Comment! Be the first one.