jsPDF is a widely used JavaScript library for generating PDF documents. Prior to version 4.1.0, the addJS method in the Node.js build of jsPDF uses a shared module-scoped variable named 'text' to hold JavaScript content that will be embedded in the generated PDF. Because this variable is shared across all requests in a concurrent environment such as a Node.js web server, simultaneous PDF generation requests can interfere with each other. Specifically, if multiple requests invoke addJS concurrently, the 'text' variable can be overwritten by a subsequent request before the PDF document is finalized. This race condition leads to cross-user data leakage, where the PDF generated for one user may include JavaScript code and potentially sensitive data intended for another user. Although primarily a server-side issue, similar race conditions could theoretically occur in client-side environments if jsPDF is used concurrently in multi-threaded or asynchronous contexts. The vulnerability is categorized under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization). The flaw was addressed and fixed in jsPDF version 4.1.0 by removing or properly isolating the shared state to prevent concurrent access conflicts. No known exploits are currently reported in the wild. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low impact on confidentiality and integrity but no impact on availability. This suggests that while the vulnerability is exploitable remotely without authentication, the impact is limited to confidentiality leakage in concurrent usage scenarios.

For European organizations using jsPDF versions prior to 4.1.0 in server-side environments, this vulnerability poses a risk of cross-user data leakage. Sensitive information embedded in JavaScript within PDFs—such as user-specific data, tokens, or confidential scripts—could be inadvertently exposed to other users. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR breaches), and reputational damage. Organizations providing PDF generation as part of web services or SaaS platforms are particularly at risk, especially if they handle sensitive or personal data. The impact is compounded in high-concurrency environments like busy web servers or multi-tenant applications. Although the vulnerability does not allow code execution or denial of service, the confidentiality breach alone is significant for sectors such as finance, healthcare, and government. The absence of known exploits reduces immediate risk, but the ease of exploitation in concurrent request scenarios means attackers could develop exploits if motivated. European organizations must consider this vulnerability in their risk assessments and patch management strategies to avoid data leakage incidents.

The primary mitigation is to upgrade all jsPDF instances to version 4.1.0 or later, where the race condition has been fixed. For organizations unable to upgrade immediately, isolating PDF generation processes to avoid concurrent execution sharing the same Node.js process or module instance can reduce risk. Implementing request-level locking or queueing to serialize PDF generation requests can prevent simultaneous access to the shared variable. Reviewing and refactoring custom code that uses jsPDF’s addJS method to ensure no shared mutable state is accessed concurrently is also recommended. Additionally, auditing PDF generation workflows to minimize embedding sensitive JavaScript content can reduce exposure. Monitoring logs for anomalies in PDF generation timing or content can help detect potential exploitation attempts. Finally, organizations should incorporate this vulnerability into their vulnerability management and incident response plans, ensuring timely patching and awareness among development teams.