CVE-2026-25755
Published: 19 February 2026
Summary
CVE-2026-25755 is a high-severity Code Injection (CWE-94) vulnerability in Parall Jspdf. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of jsPDF to version 4.2.0 or later to remediate the code injection vulnerability in the addJS method.
Mandates validation and escaping of user-controlled inputs to the addJS method, directly preventing delimiter evasion and arbitrary PDF object injection.
Enables vulnerability scanning to identify deployments using vulnerable jsPDF versions prior to 4.2.0, facilitating proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of web apps using jsPDF (T1190) to inject malicious PDF content/JS; resulting document requires victim user execution to trigger impacts (T1204.002).
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the…
more
JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.
Deeper analysisAI
CVE-2026-25755 is a code injection vulnerability in the jsPDF JavaScript library, which is used to generate PDFs in web applications, affecting versions prior to 4.2.0. The issue stems from insufficient validation of user-controlled arguments passed to the `addJS` method, enabling attackers to escape the JavaScript string delimiter and inject arbitrary PDF objects into the resulting document. This flaw is classified under CWE-94 (Improper Control of Generation of Code) and CWE-116 (Improper Encoding or Escaping of Output), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
An attacker who can influence the input to the `addJS` method—such as through untrusted user-supplied JavaScript code in a web form or API—can craft a payload to break out of the string context and embed malicious PDF streams or objects. Upon opening the generated PDF in a viewer, victims face risks including execution of arbitrary actions (e.g., JavaScript within the PDF) or structural alterations to the document, potentially leading to high confidentiality and integrity impacts like data exfiltration or tampering. Exploitation requires no privileges and is network-accessible with low complexity, but depends on user interaction to open the malicious PDF.
The vulnerability was addressed in jsPDF version 4.2.0, as detailed in the project's security advisory (GHSA-9vjf-qc39-jprp), release notes, and the fixing commit. Developers are advised to upgrade immediately; as a temporary measure, escape parentheses in any user-provided JavaScript code before invoking the `addJS` method to prevent delimiter evasion.
Details
- CWE(s)