CVE-2026-31898
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 501 npm packages depend on jspdf (326 direct, 177 indirect)
Ecosystem-wide dependent count for version 4.2.1.
DescriptionNVD
Impact
User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..
createAnnotation:colorparameter
Example attack vector:
import { jsPDF } from 'jspdf'
const doc = new jsPDF();
const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> (';
doc.createAnnotation({
type: 'freetext',
bounds: { x: 10, y: 10, w: 120, h: 20 },
contents: 'hello',
color: payload
});
doc.save('test.pdf');Patches
The vulnerability has been fixed in jsPDF@4.2.1.
Workarounds
Sanitize user input before passing it to the vulnerable API members.
AnalysisAI
A code injection vulnerability in the jsPDF library allows attackers to inject arbitrary PDF objects, including malicious JavaScript actions, through unsanitized user input to the createAnnotation method. The vulnerability affects jsPDF versions prior to 4.2.1 and enables remote attackers to execute arbitrary code when a victim opens or interacts with a maliciously crafted PDF file. A proof-of-concept exploit is publicly available demonstrating how to launch system executables like calc.exe through PDF action injection.
Technical ContextAI
jsPDF is a popular JavaScript library for generating PDF documents in web browsers and Node.js environments, identified by CPE pkg:npm/jspdf. The vulnerability stems from improper output neutralization (CWE-116) in the createAnnotation method, specifically in how the 'color' parameter is processed without adequate sanitization. When creating PDF annotations, the library fails to properly escape or validate user-supplied input, allowing injection of raw PDF object syntax that can include action dictionaries with launch commands or JavaScript code that execute when the PDF is rendered or interacted with.
RemediationAI
Upgrade jsPDF to version 4.2.1 or later immediately, as confirmed in the vendor's security advisory at https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24 and release notes at https://github.com/parallax/jsPDF/releases/tag/v4.2.1. If immediate patching is not possible, implement strict input validation and sanitization for any user-supplied data passed to the createAnnotation method, particularly the color parameter, ensuring no PDF object syntax can be injected. Review all code paths that generate PDFs with user input and implement defense-in-depth measures such as content security policies for generated PDFs.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-7x6v-j9x4-qf24