Skip to content

fix(deps): update dependency jspdf to v4.1.0 [security]#32384

Merged
sjbur merged 1 commit into26_1from
renovate/npm-jspdf-vulnerability
Feb 5, 2026
Merged

fix(deps): update dependency jspdf to v4.1.0 [security]#32384
sjbur merged 1 commit into26_1from
renovate/npm-jspdf-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 3, 2026

This PR contains the following updates:

Package Change Age Confidence
jspdf 4.0.04.1.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-24040

Impact

The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests.

If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B.

Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side.

import { jsPDF } from "jspdf";

const docA = new jsPDF();
const docB = new jsPDF();

// 1. User A sets their script (stored in shared 'text' variable)
docA.addJS('console.log("Secret A");');

// 2. User B sets their script (overwrites shared 'text' variable)
docB.addJS('console.log("Secret B");');

// 3. User A saves their PDF (reads current 'text' variable)
docA.save("userA.pdf");

// Result: userA.pdf contains "Secret B" instead of "Secret A"

Patches

The vulnerability has been fixed in jspdf@4.0.1. The fix moves the shared variable into the function scope, ensuring isolation between instances.

Workarounds

Avoid using the addJS method in concurrent server-side environments. If usage is required, ensure requests are processed sequentially (e.g., using a queue) rather than in parallel.

CVE-2026-24043

Impact

User control of the first argument of the addMetadata function allows users to inject arbitrary XML.

If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed.

Example attack vector:

import { jsPDF } from "jspdf"

const doc = new jsPDF()

// Input a string that closes the current XML tag and opens a new one.
// We are injecting a fake "dc:creator" (Author) to spoof the document source.
const maliciousInput = '</jspdf:metadata></rdf:Description>' +
    '<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' +
    '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity
    '</rdf:Description>' +
    '<rdf:Description><jspdf:metadata>'

// The application innocently adds the user's input to the metadata
doc.addMetadata(maliciousInput, "http://valid.namespace")

doc.save("test.pdf")

Patches

The vulnerability has been fixed in jsPDF@4.1.0

Workarounds

Sanitize user input before passing it to the addMetadata method: escape XML entities. For example:

let input = "..."

input = input
    .replace(/&/g, "&amp;")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&apos;")

doc.addMetadata(input)

CVE-2026-24133

Impact

User control of the first argument of the addImage method results in Denial of Service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious BMP image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "BMP", 0, 0, 100, 100);

Patches

The vulnerability has been fixed in jsPDF 4.1.0. Upgrade to jspdf@>=4.1.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

CVE-2026-24737

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are:

  • AcroformChoiceField.addOption
  • AcroformChoiceField.setOptions
  • AcroFormCheckBox.appearanceState
  • AcroFormRadioButton.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

var choiceField = new doc.AcroFormChoiceField();
choiceField.T = "VulnerableField";
choiceField.x = 20;
choiceField.y = 20;
choiceField.width = 100;
choiceField.height = 20;

// PAYLOAD:
// 1. Starts with "/" to bypass escaping.
// 2. "dummy]" closes the array.
// 3. "/AA" injects an Additional Action (Focus event).
// 4. "/JS" executes arbitrary JavaScript.
const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage [";

choiceField.addOption(payload);
doc.addField(choiceField);

doc.save("test.pdf");

Patches

The vulnerability has been fixed in jsPDF@4.1.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Credits

Research and fix: Ahmet Artuç

Release Notes

parallax/jsPDF (jspdf)

v4.1.0

Compare Source

This release fixes several security issues.

What's Changed

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Feb 3, 2026
@mpreyskurantov mpreyskurantov reopened this Feb 3, 2026
@mpreyskurantov mpreyskurantov reopened this Feb 3, 2026
@sjbur sjbur merged commit 0fda738 into 26_1 Feb 5, 2026
255 of 282 checks passed
@sjbur sjbur deleted the renovate/npm-jspdf-vulnerability branch February 5, 2026 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file skip-cache

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mpreyskurantov @sjbur