PatchSiren cyber security CVE debrief
CVE-2026-25755 parallax CVE debrief
CVE-2026-25755 is a high-severity vulnerability in the jsPDF library, allowing attackers to inject arbitrary PDF objects. The vulnerability exists in versions prior to 4.2.0 and is caused by user control of the argument of the `addJS` method. An attacker can craft a payload that escapes the JavaScript string delimiter to execute malicious actions or alter the document structure. This vulnerability impacts any user who opens the generated PDF. The vulnerability has been fixed in [email protected].
- Vendor
- parallax
- Product
- jsPDF
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-19
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-19
- Advisory updated
- 2026-06-30
Who should care
Developers and users of the jsPDF library should be aware of this vulnerability and take necessary precautions. The vulnerability has a high CVSS score of 8.1, indicating a significant risk. Users who generate PDFs using jsPDF should ensure they are using version 4.2.0 or later to prevent exploitation.
Technical summary
The vulnerability exists in the `addJS` method of the jsPDF library, which allows user control of the argument. An attacker can inject arbitrary PDF objects by crafting a payload that escapes the JavaScript string delimiter. This can lead to malicious actions or alteration of the document structure. The vulnerability has been fixed in [email protected] by addressing the user control issue. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.1, indicating a high severity.
Defensive priority
High priority should be given to updating jsPDF to version 4.2.0 or later. Developers should also ensure that user-provided JavaScript code is properly escaped before passing it to the `addJS` method.
Recommended defensive actions
- Update jsPDF to version 4.2.0 or later
- Escape user-provided JavaScript code before passing it to the `addJS` method
- Validate and sanitize user input to prevent exploitation
- Monitor for suspicious activity related to PDF generation
- Implement additional security measures to prevent exploitation, such as using a Web Application Firewall (WAF)
Evidence notes
The vulnerability has been confirmed by the National Vulnerability Database (NVD) and has a CVSS score of 8.1. The vulnerability has been fixed in [email protected], and a workaround is to escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.
Official resources
-
CVE-2026-25755 CVE record
CVE.org
-
CVE-2026-25755 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.