jsPDF addJS Vulnerability Enables PDF Object Injection (CVE-2026-25755)

jsPDF developers face a critical vulnerability in the popular PDF generation library. CVE-2026-25755 (CVSS 8.8) affects the addJS method, allowing attackers to inject arbitrary PDF objects and actions through unsanitized input. Millions of web applications generating PDFs from user content now risk remote code execution in PDF viewers. ZeroXJacks disclosed the proof-of-concept

The flaw lives in javascript.js where user input concatenates directly into PDF streams: this.internal.out("/JS (" + text + ")");. Attackers inject payloads like ) >> /Action … to break out of JavaScript strings and inject PDF structures. This bypasses JavaScript restrictions entirely.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Unlike XSS attacks requiring JS execution, PDF object injection manipulates document hierarchies directly. Injected /OpenAction triggers automatically even in JS-disabled viewers. Attackers modify /Annots, /Signatures, or metadata for phishing and persistence.

jsPDF powers document generation across CMS platforms, reporting tools, and invoice systems. Dynamic PDF creation from user forms, templates, or databases amplifies exposure. Lightweight mobile PDF viewers execute injected actions due to strict PDF spec compliance.

Technical Breakdown

Core Issue: Missing escaping of closing parenthesis ) and backslashes in JS streams.
Attack Vector: Remote via malicious addJS() input.
Impact Scope: Cross-viewer; affects Adobe Reader, browser viewers, mobile apps.
Detection: Monitor PDF generation logs for malformed /JS streams.

PoC Payload Example:

") >> /OpenAction << /S /JavaScript /JS (alert('XSS')) >>"

This terminates the legitimate /JS string early, injects an /OpenAction, and executes JavaScript when the PDF opens.

Risk Impact Table

Real-world vectors include: Contact forms generating PDFs, automated reports, invoice systems pulling user data. Server-side PDF generation amplifies risk as attackers control input sources.

Vulnerable Code vs Fixed

Vulnerable (pre-4.1.0):

this.internal.out("/JS (" + text + ")");

Fixed (4.1.0+):

// Escapes parentheses and backslashes per PDF spec
this.internal.out("/JS (" + this.internal.pdfEscape(text) + ")");

Immediate Remediation Steps

• Upgrade to jsPDF 4.1.0+ across all applications immediately
• Disable addJS() for untrusted content until patched
• Implement server-side input sanitization removing ), \, PDF operators
• Deploy Content Security Policy blocking inline PDF JavaScript
• Audit PDF generation workflows for user-controlled inputs
• Monitor generated PDFs with PDF malware scanners

jsPDF serves 10M+ monthly downloads. Unpatched versions expose enterprise document workflows to supply chain compromise. Automated PDF generation demands strict input controls.

Attackers weaponize this for phishing campaigns embedding malicious payloads in legitimate-looking documents. PDF viewers parse object hierarchies before JS execution, creating a stealthier vector than traditional XSS.

FAQ