The vulnerability identified as CVE-2026-25755 affects the parallax jsPDF library, a widely used JavaScript tool for generating PDF documents client-side or server-side. Prior to version 4.2.0, the addJS method accepts user-controlled input that is embedded as JavaScript within the PDF. Due to insufficient sanitization and improper handling of string delimiters, an attacker can craft a payload that escapes the intended JavaScript string context, enabling injection of arbitrary PDF objects or JavaScript code. This code injection can alter the document structure or execute malicious scripts when the PDF is opened by an end user. The root cause is classified under CWE-94 (Improper Control of Generation of Code) and CWE-116 (Improper Encoding or Escaping of Output). The vulnerability is remotely exploitable without authentication but requires the victim to open the malicious PDF, thus involving user interaction. The CVSS v3.1 score of 8.1 reflects high impact on confidentiality and integrity, with network attack vector and low attack complexity. The vulnerability has been addressed in jsPDF 4.2.0 by properly sanitizing inputs to addJS. As a temporary mitigation, escaping parentheses in user-supplied JavaScript code before passing it to addJS can reduce risk. No public exploit code or active exploitation has been reported to date.

This vulnerability poses a significant risk to organizations that generate PDFs dynamically using vulnerable versions of jsPDF, especially when incorporating untrusted or user-supplied input into the addJS method. Successful exploitation can lead to arbitrary code execution within the PDF context, potentially allowing attackers to execute malicious scripts, steal sensitive information, or manipulate document content. This compromises confidentiality and integrity of the PDF data. Since PDFs are widely used for document exchange in enterprises, government, and financial sectors, the threat surface is broad. Attackers could use social engineering to distribute malicious PDFs via email or websites, targeting end users to trigger the payload. Although availability is not impacted, the breach of confidentiality and integrity can lead to data leaks, fraud, or reputational damage. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure. Organizations relying on jsPDF for document generation should consider this vulnerability critical and address it promptly to avoid potential compromise.

Organizations should immediately upgrade all instances of jsPDF to version 4.2.0 or later, where the vulnerability is fully patched. For environments where immediate upgrade is not feasible, implement strict input validation and sanitization on all user-supplied data passed to the addJS method. Specifically, escape parentheses and other special characters in JavaScript code before embedding it in PDFs to prevent delimiter escape sequences. Additionally, restrict the use of addJS to trusted inputs only and avoid incorporating untrusted or external data without thorough validation. Employ PDF security best practices such as disabling JavaScript execution in PDF viewers where possible, or using viewer settings that prompt users before executing embedded scripts. Monitor for suspicious PDF files in email gateways and endpoint security solutions to detect potential exploitation attempts. Educate users about the risks of opening PDFs from untrusted sources. Finally, maintain an inventory of applications and services using jsPDF to ensure all vulnerable versions are identified and remediated.