Vulnerability Injection Attacks in jsPDF Millions of web developers are now vulnerable to PDF Object Injection attacks due to a recently discovered security flaw in the widely used jsPDF library, which enables remote attackers to insert arbitrary objects and actions into generated PDF documents This article explores injection jspdf addjs. . The vulnerability, identified as CVE-2026-25755, impacts the addJS technique, which is used to embed JavaScript code in PDF documents.

The problem stems from the javascript.js file in jsPDF not properly sanitizing user-supplied input. In particular, the problematic line uses the syntax this to concatenate unsanitized input straight into the PDF stream.internal.out("/JS (" + text + ")"); The closing parenthesis, which serves as a string delimiter in the PDF specification, is not escaped by this logic.

Attackers can gain complete control over embedded objects by injecting arbitrary PDF structures and prematurely terminating the /JS string with a payload like) >> /Action …. PDF Object Injection in jsPDF's addJS method permits arbitrary object injection and action execution in generated PDFs. CVE ID CVSS Score Description CVE-2026-25755 8.8 (High).

This vulnerability directly modifies PDF object hierarchies, in contrast to standard JavaScript-based XSS attacks. This enables malicious actors to alter document structures or carry out actions even if the viewer disables JavaScript. Important effects consist of: JS-disabled execution: JavaScript limitations can be circumvented by allowing injected PDF actions (like /OpenAction) to start automatically. Document manipulation: To change metadata, carry out phishing, or change the look of the PDF, attackers can insert, encrypt, or change the /Annots or /Signatures sections.

Cross-viewer risk: Because lightweight PDF viewers strictly adhere to PDF object parsing rules, they may perform injected actions, particularly mobile or embedded ones. The problem was found by security researcher ZeroXJacks, who also showed a proof-of-concept that employs a specially constructed addJS payload to initiate custom PDF actions when the document opens. This draws attention to a significant danger for programs that create PDFs on the fly based on user input.

Missing input validation and escaping in accordance with the PDF specification are the root causes of the problem. It is highly recommended that developers update to jsPDF version 4.1.0 or higher, as this version correctly sanitizes input by escaping backslashes and parentheses. Users should enforce stringent input validation on any client-side PDF creation workflow and refrain from embedding untrusted or user-generated content using addJS or related techniques until the patch is applied.

X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.