Sandbox Bypassed: jsPDF Flaw Exposes Millions to Object Injection

If your web application generates PDF documents on the fly, you might be carrying a critical security risk in your dependency tree. A severe vulnerability has been disclosed in jsPDF, a massive cornerstone of the JavaScript ecosystem that receives a total of 5,6 million downloads a week.

Tracked as CVE-2026-25755 and carrying a high CVSS score of 8.1, this flaw allows attackers to perform PDF Object Injection. By exploiting this vulnerability, malicious actors can hijack the generated document’s structure, potentially executing unauthorized actions on the machines of unsuspecting users who open the downloaded files.

The vulnerability is rooted in how the jsPDF library handles user-supplied JavaScript when generating documents, specifically within the addJS method.

When developers use this method to embed scripts into a PDF, they expect the library to handle the data safely. However, the root cause analysis revealed a dangerous oversight in javascript.js where “the input text is concatenated directly into the PDF stream without escaping”.

The report highlights the specific vulnerable line of code:this.internal.out( “/JS(“+text+”)”)”.

Because the input is not sanitized, an attacker can craft a payload that breaks out of the intended JavaScript string delimiter. “By providing a payload like ) >> /Action …, an attacker can prematurely close the /JS string and the surrounding dictionary,” the advisory explains. This effectively grants the attacker “the ability to write raw PDF objects into the document structure”.

What makes CVE-2026-25755 particularly dangerous is its ability to evade built-in PDF reader protections.

While many security teams are hyper-focused on traditional web-based attacks, this flaw shifts the battlefield. The report warns that “Unlike standard Cross-Site Scripting (XSS) or JS injection, PDF Object Injection bypasses the security sandboxes of the PDF JavaScript engine (AcroJS)”. This means standard PDF reader restrictions might fail to stop the injected malicious actions from executing.

Given that jsPDF is a key ecosystem project with over 31k stars on its GitHub repository, the blast radius for this vulnerability is immense.

Developers and security teams are strongly urged to update their dependencies immediately.

• The Patch: The vulnerability has been officially “fixed in jspdf@4.2.0”.
• The Workaround: If upgrading is not immediately possible, the advisory offers a temporary fix: developers must manually “Escape parentheses in user-provided JavaScript code before passing them to the addJS method”.

Related Posts:

• “PDF” Poison: Popular JavaScript Library Patches Critical Injection and Crash Flaws
• CVE-2025-68428: Critical Flaw in jsPDF Library Allows Server-Side File Theft
• Malicious PDFs Used in Large-Scale Phishing Operation
• Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations