Intelligence
highVulnerabilityActive

jsPDF HTML Injection via Unsafe Options Serialization in New Window Output

jsPDF versions before 4.2.1 fail to sanitize user-controlled options passed to window-opening output methods, allowing attackers to inject arbitrary HTML and JavaScript into the PDF viewer context. This enables XSS attacks when applications pass unsanitized user input to these functions.

S
Sebastion

CVE References

CVE-2026-31938

Affected

jspdf/jsPDF (<4.2.1)

Vulnerability Analysis

Root Cause & Classification: This is a client-side HTML injection vulnerability stemming from improper input validation. The jsPDF library's output() method accepts configuration options for three new-window modes (pdfobjectnewwindow, pdfjsnewwindow, dataurlnewwindow). When generating HTML wrapper code for PDF viewers, the library directly interpolates user-supplied strings (filename, pdfObjectUrl, pdfJsUrl) into HTML without sanitization, creating a code-injection vector. The vulnerability is classified as Improper Neutralization of Input During Web Page Generation (CWE-79).

Attack Surface & Preconditions: Exploitation requires two conditions: (1) an application accepts user input for PDF output configuration, and (2) this input flows unsanitized into the output() method call. Common vulnerable patterns include web forms where users specify filenames or APIs where remote callers control output options. The attack occurs in the victim's browser during PDF creation/opening, not on the server.

Detection Guidance: Monitor for:

  • jsPDF library versions <4.2.1 in dependency manifests
  • Code patterns where output() is called with user-derived parameters
  • HTML/JavaScript injection attempts in filename parameters (angle brackets, script tags, iframe tags)
  • Unexpected script execution in PDF viewer contexts (browser DevTools, CSP violations)
  • Log entries from vulnerable applications showing suspicious option values

Mitigation Strategy:

  1. Prioritize patching to jsPDF 4.2.1 or later
  2. Input sanitization as interim control: validate all user inputs against whitelist of safe characters before passing to output() (alphanumerics, hyphens, underscores only)
  3. Content Security Policy (CSP) headers restricting script-src reduce execution impact if injection occurs
  4. Code review to identify all application locations where user input flows to jsPDF options

Risk Assessment: Medium-to-high likelihood of exploitation in deployed applications, particularly those with user-configurable PDF export features (document generation, reporting interfaces). Threat actors benefit from session token theft, credential harvesting, or malware delivery. The attack is reliable and requires minimal technical sophistication once parameters are identified.

Sources

pochtml-injectionxssclient-sideinput-validationpdf-libraries
Back to intelligence