CVE-2026-24040 is a concurrency-related vulnerability classified under CWE-362 (Race Condition) affecting the jsPDF library, a popular JavaScript tool for generating PDF documents. Prior to version 4.1.0, the addJS method in the Node.js build of jsPDF uses a shared module-scoped variable named 'text' to hold JavaScript content intended for embedding in PDFs. In environments where multiple PDF generation requests occur simultaneously—common in Node.js web servers—this shared variable is accessed and modified concurrently without proper synchronization. As a result, the JavaScript content meant for one user's PDF can be overwritten by another user's request before the document is finalized. This leads to cross-user data leakage, where sensitive JavaScript payloads or embedded data from one user are exposed in another user's PDF document. Although primarily a server-side issue, similar race conditions could theoretically occur in client-side usage if concurrent execution contexts exist. The vulnerability does not require authentication or user interaction, making it easier to exploit in multi-tenant or shared server environments. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and partial confidentiality and integrity impact. The flaw was addressed in jsPDF version 4.1.0 by eliminating the shared mutable state and ensuring thread-safe handling of JavaScript content during PDF generation.

For European organizations, this vulnerability poses a risk of sensitive data exposure through inadvertent cross-user leakage in dynamically generated PDFs. Industries such as finance, healthcare, legal, and government that rely on server-side PDF generation with jsPDF in multi-user environments could face confidentiality breaches, potentially violating GDPR and other data protection regulations. The integrity of generated documents is also compromised, undermining trust in document authenticity. Although availability is not directly impacted, reputational damage and regulatory penalties could result from data leakage incidents. Organizations using vulnerable jsPDF versions in high-concurrency Node.js applications, especially those serving multiple clients or tenants, are at heightened risk. Attackers could exploit this flaw to access sensitive information without authentication, increasing the threat landscape. The impact is amplified in environments where PDFs contain embedded scripts or confidential data, making mitigation critical to maintain compliance and data security.

The primary mitigation is to upgrade all jsPDF instances to version 4.1.0 or later, where the race condition has been fixed by removing shared mutable state and implementing proper synchronization. Organizations should audit their Node.js applications to identify usage of vulnerable jsPDF versions, particularly in multi-tenant or concurrent request scenarios. Implementing request-level isolation for PDF generation processes can further reduce risk by preventing shared state across requests. Where upgrading is not immediately feasible, consider serializing PDF generation requests or using separate process instances to avoid concurrent access to shared variables. Conduct thorough testing to ensure no residual race conditions exist in custom PDF generation code. Additionally, review embedded JavaScript usage in PDFs to minimize sensitive data exposure and consider disabling JavaScript in PDFs if not required. Monitoring and logging PDF generation activities can help detect anomalous behavior indicative of exploitation attempts. Finally, ensure compliance with data protection laws by promptly addressing this vulnerability to prevent unauthorized data disclosure.