CVE-2026-25940
PDF Object Injection vulnerability in jspdf (npm)
What is CVE-2026-25940 About?
This vulnerability is a PDF Object Injection in the Acroform module of jsPDF. It allows users to inject arbitrary PDF objects, such as JavaScript actions, by providing unsanitized input to specific properties like `AcroformChildClass.appearanceState`. This can lead to the execution of malicious JavaScript when a victim interacts with the generated PDF, and it is relatively easy to exploit with controlled input.
Affected Software
Technical Details
The vulnerability lies within the Acroform module of jsPDF, specifically when handling properties such as AcroformChildClass.appearanceState. If user-controlled input is passed to this property without proper sanitization, an attacker can inject arbitrary PDF objects directly into the generated PDF structure. The provided example shows exploiting appearanceState to inject an 'Additional Action' (/AA). This action is configured to execute JavaScript (app.alert('XSS')) when a user hovers over a radio option in the PDF. The malicious payload "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>" breaks the intended appearanceState value and injects a new PDF dictionary with a JavaScript action, which then gets executed in the context of the PDF viewer.
What is the Impact of CVE-2026-25940?
Successful exploitation may allow attackers to inject arbitrary PDF objects and JavaScript actions, leading to client-side script execution (e.g., XSS within the PDF viewer context), information disclosure, or manipulation of the PDF document. This impacts any user who opens the crafted PDF.
What is the Exploitability of CVE-2026-25940?
Exploitation complexity is moderate, requiring the attacker to understand PDF object structures and how to craft a payload that can be injected through the appearanceState property. No authentication is directly required if the attacker can control the input to the vulnerable API members within the Acroform module. Privilege requirements are low, as any user able to provide input that influences these properties could exploit it. This is a remote exploitation scenario if applications generate PDFs based on user-supplied data, or a local one if a client application uses these APIs with untrusted input. The special condition is that the victim must open the generated PDF and interact with the vulnerable عنصر (e.g., hover over the radio option). The primary risk factor is applications utilizing the jsPDF Acroform module with unsanitized user input for properties like appearanceState.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-25940?
Available Upgrade Options
- jspdf
- <4.2.0 → Upgrade to 4.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/parallax/jsPDF
- https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375
- https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375
- https://github.com/parallax/jsPDF/releases/tag/v4.2.0
- https://osv.dev/vulnerability/GHSA-p5xg-68wr-hm3m
- https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m
- https://github.com/parallax/jsPDF/releases/tag/v4.2.0
- https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m
- https://nvd.nist.gov/vuln/detail/CVE-2026-25940
What are Similar Vulnerabilities to CVE-2026-25940?
Similar Vulnerabilities: CVE-2017-8822 , CVE-2018-16168 , CVE-2019-14227 , CVE-2020-11979 , CVE-2021-3694
