VulnerableCode Package Details - pkg:npm/jspdf@4.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-e3t3-9khr-kyhb Aliases: CVE-2026-31938 GHSA-wfv2-pwc8-crg5	jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context. The vulnerability has been fixed in jspdf@4.2.1. As a workaround, sanitize user input before passing it to the output method.	4.2.1 Affected by 0 other vulnerabilities.
VCID-fn9a-xgb4-vfb8 Aliases: CVE-2026-31898 GHSA-7x6v-j9x4-qf24	jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.	4.2.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-e3t3-9khr-kyhb
Aliases:
CVE-2026-31938
GHSA-wfv2-pwc8-crg5

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context. The vulnerability has been fixed in jspdf@4.2.1. As a workaround, sanitize user input before passing it to the output method.

4.2.1
Affected by 0 other vulnerabilities.

VCID-fn9a-xgb4-vfb8
Aliases:
CVE-2026-31898
GHSA-7x6v-j9x4-qf24

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.

4.2.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7drx-9wnd-pkcx	jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.	CVE-2026-25755 GHSA-9vjf-qc39-jprp
VCID-uzbs-4h45-4fb2	jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.	CVE-2026-25940 GHSA-p5xg-68wr-hm3m
VCID-w2dh-z1yj-bud7	jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.	CVE-2026-25535 GHSA-67pg-wm7f-q7fj

Vulnerability

Summary

Aliases

VCID-7drx-9wnd-pkcx

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

CVE-2026-25755
GHSA-9vjf-qc39-jprp

VCID-uzbs-4h45-4fb2

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.

CVE-2026-25940
GHSA-p5xg-68wr-hm3m

VCID-w2dh-z1yj-bud7

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

CVE-2026-25535
GHSA-67pg-wm7f-q7fj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:28:03.003083+00:00	GHSA Importer	Affected by	VCID-e3t3-9khr-kyhb	https://github.com/advisories/GHSA-wfv2-pwc8-crg5	38.6.0
2026-06-13T06:28:02.971389+00:00	GHSA Importer	Affected by	VCID-fn9a-xgb4-vfb8	https://github.com/advisories/GHSA-7x6v-j9x4-qf24	38.6.0
2026-06-12T21:30:49.431049+00:00	GitLab Importer	Affected by	VCID-e3t3-9khr-kyhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jspdf/CVE-2026-31938.yml	38.6.0
2026-06-12T21:30:13.439685+00:00	GitLab Importer	Affected by	VCID-fn9a-xgb4-vfb8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jspdf/CVE-2026-31898.yml	38.6.0
2026-06-12T15:50:30.927858+00:00	GitLab Importer	Fixing	VCID-7drx-9wnd-pkcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jspdf/CVE-2026-25755.yml	38.6.0
2026-06-12T15:50:30.694948+00:00	GitLab Importer	Fixing	VCID-w2dh-z1yj-bud7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jspdf/CVE-2026-25535.yml	38.6.0
2026-06-12T15:50:30.494118+00:00	GitLab Importer	Fixing	VCID-uzbs-4h45-4fb2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jspdf/CVE-2026-25940.yml	38.6.0
2026-06-12T07:48:15.565091+00:00	GithubOSV Importer	Fixing	VCID-w2dh-z1yj-bud7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-67pg-wm7f-q7fj/GHSA-67pg-wm7f-q7fj.json	38.6.0
2026-06-12T07:47:44.483945+00:00	GithubOSV Importer	Fixing	VCID-uzbs-4h45-4fb2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p5xg-68wr-hm3m/GHSA-p5xg-68wr-hm3m.json	38.6.0
2026-06-12T07:47:32.076943+00:00	GithubOSV Importer	Fixing	VCID-7drx-9wnd-pkcx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9vjf-qc39-jprp/GHSA-9vjf-qc39-jprp.json	38.6.0
2026-06-11T20:38:03.716140+00:00	GHSA Importer	Fixing	VCID-uzbs-4h45-4fb2	https://github.com/advisories/GHSA-p5xg-68wr-hm3m	38.6.0
2026-06-11T20:38:03.682623+00:00	GHSA Importer	Fixing	VCID-7drx-9wnd-pkcx	https://github.com/advisories/GHSA-9vjf-qc39-jprp	38.6.0
2026-06-11T20:38:03.571237+00:00	GHSA Importer	Fixing	VCID-w2dh-z1yj-bud7	https://github.com/advisories/GHSA-67pg-wm7f-q7fj	38.6.0