PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25755 parallax CVE debrief

CVE-2026-25755 is a high-severity vulnerability in the jsPDF library, allowing attackers to inject arbitrary PDF objects. The vulnerability exists in versions prior to 4.2.0 and is caused by user control of the argument of the `addJS` method. An attacker can craft a payload that escapes the JavaScript string delimiter to execute malicious actions or alter the document structure. This vulnerability impacts any user who opens the generated PDF. The vulnerability has been fixed in [email protected].

Vendor
parallax
Product
jsPDF
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-19
Original CVE updated
2026-06-30
Advisory published
2026-02-19
Advisory updated
2026-06-30

Who should care

Developers and users of the jsPDF library should be aware of this vulnerability and take necessary precautions. The vulnerability has a high CVSS score of 8.1, indicating a significant risk. Users who generate PDFs using jsPDF should ensure they are using version 4.2.0 or later to prevent exploitation.

Technical summary

The vulnerability exists in the `addJS` method of the jsPDF library, which allows user control of the argument. An attacker can inject arbitrary PDF objects by crafting a payload that escapes the JavaScript string delimiter. This can lead to malicious actions or alteration of the document structure. The vulnerability has been fixed in [email protected] by addressing the user control issue. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.1, indicating a high severity.

Defensive priority

High priority should be given to updating jsPDF to version 4.2.0 or later. Developers should also ensure that user-provided JavaScript code is properly escaped before passing it to the `addJS` method.

Recommended defensive actions

  • Update jsPDF to version 4.2.0 or later
  • Escape user-provided JavaScript code before passing it to the `addJS` method
  • Validate and sanitize user input to prevent exploitation
  • Monitor for suspicious activity related to PDF generation
  • Implement additional security measures to prevent exploitation, such as using a Web Application Firewall (WAF)

Evidence notes

The vulnerability has been confirmed by the National Vulnerability Database (NVD) and has a CVSS score of 8.1. The vulnerability has been fixed in [email protected], and a workaround is to escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

Official resources

This article was generated with AI assistance based on the supplied source corpus.