jsPDF Vulnerability Exposes Millions of Developers to Object Injection Attacks

A newly disclosed security flaw in the popular jsPDF library has exposed millions of web developers to PDF Object Injection attacks, allowing remote attackers to embed arbitrary objects and actions into generated PDF documents.

Tracked as CVE-2026-25755, the vulnerability affects the addJS method used to embed JavaScript code in PDF files.

The issue arises from improper sanitization of user-supplied input in the javascript.js file within jsPDF. Specifically, the problematic line concatenates unsanitized input directly into the PDF stream using the following syntax:

this.internal.out("/JS (" + text + ")");

This logic fails to escape the closing parenthesis, which acts as a string delimiter in the PDF specification.

By injecting a payload such as) >> /Action …, attackers can prematurely terminate the /JS string and inject arbitrary PDF structures, gaining full control over embedded objects.

Unlike typical JavaScript-based XSS attacks, this vulnerability manipulates PDF object hierarchies directly. That allows malicious actors to execute actions or modify document structures even when JavaScript is disabled in the viewer.

Critical impacts include:

JS-disabled execution: Injected PDF actions (e.g., /OpenAction) can trigger automatically, bypassing JavaScript restrictions.

Document manipulation: Attackers can inject, encrypt, or modify the/Annots or /Signatures sections to modify metadata, perform phishing, or alter the PDF’s appearance.

Cross-viewer risk: Lightweight PDF viewers, especially mobile or embedded ones, may execute injected actions due to strict compliance with PDF object parsing rules.

Security researcher ZeroXJacks, who discovered the issue, demonstrated a proof-of-concept that uses a crafted addJS payload to trigger custom PDF actions when the document opens.

This highlights a serious risk for applications that dynamically generate PDFs from user input. The underlying flaw stems from missing input validation and escaping per the PDF specification.

Developers are strongly advised to update to jsPDF version 4.1.0 or higher, where input is sanitized correctly by escaping parentheses and backslashes.

Until patched, users should avoid embedding untrusted or user-generated content using addJS or related methods and enforce strict input validation on any client-side PDF creation workflow.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.