“PDF” Poison: Popular JavaScript Library Patches Critical Injection and Crash Flaws
Ddos 
Developers using jsPDF, a widely adopted library for generating PDF files directly in the browser, are being urged to update their software immediately following the discovery of two high-severity vulnerabilities. The flaws, tracked as CVE-2026-24737 and CVE-2026-24133, could allow attackers to inject malicious code into documents or crash applications entirely with a single image.
The vulnerabilities highlight the hidden risks in client-side file generation, where trusting user input can lead to devastating consequences.
The first vulnerability, CVE-2026-24737 (CVSS 8.1), turns the library’s form-creation tools into a vector for attack. The issue lies in the AcroForm module, which allows developers to add interactive fields like checkboxes and radio buttons to PDFs.
The advisory warns that “User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions”.
If an application allows unsanitized user input to flow into specific API membersβsuch as AcroformChoiceField.addOption or AcroFormCheckBox.appearanceStateβan attacker can craft a malicious PDF . When a victim opens this document, the injected JavaScript executes, potentially stealing data or performing unauthorized actions.
The second flaw, CVE-2026-24133 (CVSS 8.7), is a classic Denial of Service (DoS) vulnerability disguised as an image. It affects the BMPDecoder, specifically targeting the addImage method.
Attackers can exploit this by providing a “harmful BMP file” with manipulated headers. The report explains that “Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation”.
When the library attempts to process this “bitmap bomb,” it triggers an out-of-memory error, crashing the application or browser tab. This vulnerability effectively allows an attacker to take down a service simply by uploading a malicious image or URL.
The maintainers have addressed both issues in the latest release. Developers are strongly advised to “Upgrade to jspdf@ >=4.1.0,” which contains the necessary fixes.
For those who cannot upgrade immediately, the only defense is rigorous validation. The advisory recommends that developers “Sanitize user input before passing it to the vulnerable API members” and carefully check image data before processing it.
Related Posts:
- CVE-2025-57803: Critical Flaw in ImageMagick Could Lead to Remote Code Execution
- Stealth Stealer: New .NET Loader Hides LokiBot Payload in BMP/PNG Images Using Advanced Steganography
- Malicious PDFs Used in Large-Scale Phishing Operation
- Security Expert Announces PoC to Crashes All Recent Windows
- Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
