## https://sploitus.com/exploit?id=PACKETSTORM:216012
# CVE-2026-25755: PDF Object Injection in jsPDF (addJS Method)
## Description
A PDF Object Injection vulnerability was identified in the `addJS` method of `jsPDF`. The library fails to sanitize user-supplied input for the closing parenthesis character `)`, which acts as a delimiter for literal strings in the PDF specification. This allows an attacker to escape the JavaScript object context and inject arbitrary PDF dictionaries and actions.
## Root Cause Analysis
In `javascript.js`, the input `text` is concatenated directly into the PDF stream without escaping:
```javascript
// Vulnerable line in javascript.js
this.internal.out("/JS (" + text + ")");
```
By providing a payload like ) `>> /Action ...`, an attacker can prematurely close the /JS string and the surrounding dictionary, effectively gaining the ability to write raw PDF objects into the document structure.
### Impact Analysis
Unlike standard Cross-Site Scripting (XSS) or JS injection, PDF Object Injection bypasses the security sandboxes of the PDF JavaScript engine (AcroJS).
## Critical Risks:
`JS-Disabled Execution`: Malicious actions (e.g., /OpenAction) execute even if the user has disabled JavaScript in their PDF viewer.
`Document Structure Manipulation`: Ability to inject /Encrypt, /Signatures, or /Annots to alter document metadata or perform UI redressing/phishing attacks.
`Universal Payload Execution`: The injected objects are processed by lightweight viewers (mobile/embedded) that may lack JS support but strictly follow the PDF object hierarchy.
## Proof of Concept
The following payload escapes the JS context and injects an "Additional Action" that triggers an alert:
```JavaScript
import { jsPDF } from "jspdf";
const doc = new jsPDF();
// 1. ) closes the JS string.
// 2. >> closes the current dictionary.
// 3. /AA injects an Additional Action object.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";
doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
```
## Remediation
Upgrade `jsPDF` to version >= 4.1.0.
All user-supplied input in addJS and similar methods must escape parentheses ( ) and backslashes \ according to the PDF specification.
Researcher: ZeroXJacks
Severity: High (8.8)
"""