Listen to this Post
html2pdf.js is a client-side JavaScript library that converts HTML elements or webpages into PDFs. Prior to version 0.14.0, the library contained a cross-site scripting (XSS) vulnerability because it failed to properly sanitize text inputs . When a developer passed a text string to the library instead of a DOM element, the library would attach this unsanitized text directly to the Document Object Model (DOM) . An attacker could exploit this by injecting malicious HTML or JavaScript code into the text source. For example, a string like `` would be processed and inserted into the page, causing the script to execute in the context of the user’s browser . This allows the attacker to bypass security policies and access sensitive data within the page. The vulnerability exists specifically in the text handling pathway, which lacked the same security controls as the element-based inputs . The attack vector is network-based and requires user interaction, such as a user viewing a generated PDF or page containing the malicious script. The issue has been addressed in version 0.14.0, which now sanitizes text sources using a library like DOMPurify .
Platform: html2pdf.js
Version: prior 0.14.0
Vulnerability :Cross-Site Scripting
Severity: HIGH
date: 01/14/2026
Prediction: 01/14/2026
What Undercode Say:
Analytics:
The vulnerability is caused by improper neutralization of input during web page generation (CWE-79) . It was published on January 14, 2026, and has a CVSS v4 base score of 8.7 (HIGH) with a vector string of AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N . This indicates a network attack vector with low complexity, no privileges required, but passive user interaction is necessary. The impact on confidentiality and integrity is high, while availability impact is low .
Bash commands and codes related to the blog
To update the vulnerable package using npm:
npm install [email protected] --save
To verify the installed version:
npm list html2pdf.js
To add a minimum version constraint in `package.json`:
"html2pdf.js": ">=0.14.0"
How Exploit:
An attacker can exploit this by crafting a malicious text string and passing it to the `html2pdf` function. The following vulnerable code snippet demonstrates the exploit:
import html2pdf from 'html2pdf.js/src/index.js'; const maliciousHTML = '<img src=x onerror="alert(document.cookie)">'; html2pdf(maliciousHTML); // or html2pdf().from(maliciousHTML);
When this code runs, the `onerror` event triggers, executing `alert(document.cookie)` and exposing session cookies .
Protection from this CVE:
- Upgrade: Immediately update to html2pdf.js version 0.14.0 or later, which contains the fix .
- Sanitize Input: If upgrading immediately is not possible, sanitize all user-supplied text using a trusted library like DOMPurify before passing it to html2pdf.js .
- Content Security Policy (CSP): Implement strict CSP headers to block the execution of inline scripts, mitigating the impact of a successful XSS attack .
Impact:
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, theft of sensitive information (cookies, local storage), website defacement, or redirection to malicious sites, compromising the confidentiality, integrity, and availability of the web page and its data .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

