Cross-site Scripting (XSS)
Description
In all versions of the package jspdf, it is possible to use <script> in order to go over the filtering regex.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in jsPDF allows script injection by bypassing the regex filter with <script> tags.
Vulnerability
Overview
CVE-2020-7691 is a Cross-site Scripting (XSS) vulnerability affecting all versions of the jsPDF library prior to 2.0.0. The core issue lies in the filtering mechanism used by the fromHTML method, which attempts to sanitize HTML input before converting it to PDF. The regex-based filter can be bypassed using a crafted payload such as <script>, allowing an attacker to inject arbitrary JavaScript [2].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious HTML string containing the bypass sequence as input to the fromHTML method. The proof-of-concept (PoC) provided demonstrates that when a PDF is generated using the flawed fromHTML API, the injected script executes in the context of the application's domain. No authentication is required beyond the ability to instruct the library to process untrusted HTML, making it exploitable in any application that uses jsPDF to render user-controlled content [2][4].
Impact
Successful exploitation results in stored or reflected XSS, depending on how the PDF is delivered. An attacker could steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim within the vulnerable application. The injected script runs in the user's browser when the PDF is generated or viewed, bypassing the intended HTML sanitization [2].
Mitigation
The vulnerability has been fixed in jsPDF version 2.0.0 and later. Users of the WebJar variant org.webjars.bowergithub.mrrio:jspdf should upgrade to version 2.3.1 or higher [4]. For the org.webjars:jspdf package, no fixed version is available; users must update to a different distribution or apply external input sanitization [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jspdfnpm | < 2.0.0 | 2.0.0 |
Affected products
2- jspdf/jspdfdescription
Patches
1d0323215b1a1Merge pull request #2982 from aruniverse/security/cve2020-7691
2 files changed · +4 −4
package.json+1 −1 modified@@ -29,7 +29,7 @@ "optionalDependencies": { "canvg": "^3.0.6", "core-js": "^3.6.0", - "dompurify": "^2.0.12", + "dompurify": "^2.2.0", "html2canvas": "^1.0.0-rc.5" }, "devDependencies": {
package-lock.json+3 −3 modified@@ -3330,9 +3330,9 @@ "dev": true }, "dompurify": { - "version": "2.0.12", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.0.12.tgz", - "integrity": "sha512-Fl8KseK1imyhErHypFPA8qpq9gPzlsJ/EukA6yk9o0gX23p1TzC+rh9LqNg1qvErRTc0UNMYlKxEGSfSh43NDg==", + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.2.0.tgz", + "integrity": "sha512-bqFOQ7XRmmozp0VsKdIEe8UwZYxj0yttz7l80GBtBqdVRY48cOpXH2J/CVO7AEkV51qY0EBVXfilec18mdmQ/w==", "optional": true }, "dot-case": {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-3q6f-8grx-pr4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7691ghsaADVISORY
- github.com/MrRio/jsPDF/commit/d0323215b1a1cd1c35bf2b213274ae1e4797715dghsaWEB
- github.com/MrRio/jsPDF/issues/2971ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-575255ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-575253ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-575254ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-575252ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-JSPDF-568273ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.