A newly disclosed security issue in the popular jsPDF library has raised serious concerns for web developers. The flaw could allow attackers to inject malicious objects into PDF files generated by web applications. The vulnerability is tracked as CVE-2026-25755 and carries a CVSS score of 8.8, which makes it a high-severity issue.
jsPDF is widely used by developers to create PDF files directly in the browser. Many websites use it to generate invoices, reports, tickets, and other downloadable documents.
The issue was discovered by security researcher ZeroXJacks. The researcher also released a proof of concept showing how a crafted payload inside the addJS method can trigger custom actions when the PDF is opened.
The issue exists in the addJS method. This method allows developers to embed JavaScript inside a generated PDF file. The problem happens because user input is not properly cleaned before being added into the PDF structure. In the affected code, user supplied text is directly inserted into the PDF stream without escaping special characters.
The vulnerable line looks like this:
this.internal.out("/JS (" + text + ")");In PDF format, parentheses are used to define strings. If an attacker adds a closing parenthesis inside the input, it can break out of the intended string and inject new PDF objects.
This means attackers can insert their own PDF structure and actions inside the document. Attackers could icy document metadata, inject fake annotations, alter digital signature sections, encrypt parts of the file, or trigger automatic actions when the PDF opens.
This is not a normal web-based cross-site scripting attack. Instead of attacking the browser, this vulnerability manipulates the internal object structure of a PDF file. This makes the attack more dangerous in some cases.
Even if JavaScript is disabled in the PDF viewer, injected PDF actions like /OpenAction can still run automatically when the document is opened.
Any web application that dynamically generates PDF files using jsPDF and includes user supplied input in the addJS method is at risk. This is especially dangerous for platforms that generate invoices or reports from user data or allow custom PDF exports. Since jsPDF is widely used, millions of developers could be affected.
Developers should immediately update to jsPDF version 4.1.0 or later. In this version, input is properly sanitized and special characters like parentheses and backslashes are escaped correctly. Until applications are updated, developers should avoid embedding untrusted input using the addJS method.
