jsPDF has a PDF Object Injection via FreeText color
Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the createAnnotation: color parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jspdfnpm | < 4.2.1 | 4.2.1 |
Affected products
1Patches
12 files changed · +26 −4
src/modules/annotations.js+4 −4 modified@@ -191,6 +191,9 @@ import { jsPDF } from "../jspdf.js"; getVerticalCoordinateString(anno.bounds.y + anno.bounds.h) + "] "; var color = anno.color || "#000000"; + var defaultStyle = + "font: Helvetica,sans-serif 12.0pt; text-align:left; color:#" + + color; line = "<</Type /Annot /Subtype /" + "FreeText" + @@ -199,10 +202,7 @@ import { jsPDF } from "../jspdf.js"; "/Contents (" + escape(encryptor(anno.contents)) + ")"; - line += - " /DS(font: Helvetica,sans-serif 12.0pt; text-align:left; color:#" + - color + - ")"; + line += " /DS(" + escape(encryptor(defaultStyle)) + ")"; line += " /Border [0 0 0]"; line += " >>"; this.internal.write(line);
test/specs/annotations.spec.js+22 −0 modified@@ -55,6 +55,28 @@ describe("Module: Annotations", () => { }); comparePdf(doc.output(), "freetext.pdf", "annotations"); }); + it("should escape free text annotation style strings", () => { + const doc = jsPDF({ floatPrecision: 2 }); + doc.createAnnotation({ + type: "freetext", + bounds: { + x: 0, + y: 10, + w: 200, + h: 20 + }, + contents: "This is a freetext annotation", + color: '000000) /AA <</E <</S /JavaScript /JS (alert("x"))>>>> (' + }); + + const output = doc.output(); + const dsMatch = output.match(/\/DS\((.*)\) \/Border \[0 0 0\]/); + + expect(dsMatch).not.toBeNull(); + expect(dsMatch[1]).toContain( + 'color:#000000\\) /AA <</E <</S /JavaScript /JS \\(alert\\("x"\\)\\)>>>> \\(' + ); + }); it("should draw a link on the text with link after add page", () => { const doc = new jsPDF({ unit: "px",
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-7x6v-j9x4-qf24ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31898ghsaADVISORY
- github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.jsghsax_refsource_MISCWEB
- github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8ghsax_refsource_MISCWEB
- github.com/parallax/jsPDF/releases/tag/v4.2.1ghsax_refsource_MISCWEB
- github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.