jsPDF, Acroform Injection Vulnerability, Critical

Listen to this Post

The vulnerability exploits insufficient input sanitization in the Acroform module of jsPDF, allowing attackers to inject arbitrary PDF objects through user-controlled properties and methods. Specifically, the vulnerable API members—AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState—do not properly escape or validate input. When unsanitized data is passed to these methods, it can embed malicious PDF objects like JavaScript actions into the generated PDF. The injection bypasses escaping by using a payload that starts with “/” to avoid string processing, closes an array with “dummy]”, and injects an Additional Action (“/AA”) with JavaScript (“/JS”) for execution. For example, via addOption, a payload such as “/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert(‘XSS’)) >> >> /Garbage [” is inserted into the PDF structure. When a victim opens the crafted PDF, the embedded JavaScript executes in the PDF viewer context, leading to cross-site scripting (XSS) or other compromises. This occurs because the Acroform module incorrectly parses these inputs as part of the PDF object stream, allowing arbitrary code to be included in actions triggered by events like focus. The vulnerability stems from a lack of validation for special characters and PDF object boundaries, enabling attackers to manipulate the PDF’s internal dictionary and array structures. Fixed in version 4.1.0 by implementing proper sanitization to escape or reject dangerous sequences in these API calls.
Platform: jsPDF
Version: Before 4.1.0
Vulnerability: Acroform injection
Severity: Critical
date: Not disclosed

Prediction: Fixed in 4.1.0

What Undercode Say:

Analytics

No bash commands provided in ; refer to JavaScript code.
import { jsPDF } from "jspdf"
const doc = new jsPDF();
var choiceField = new doc.AcroFormChoiceField();
choiceField.T = "VulnerableField";
choiceField.x = 20;
choiceField.y = 20;
choiceField.width = 100;
choiceField.height = 20;
const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage [";
choiceField.addOption(payload);
doc.addField(choiceField);
doc.save("test.pdf");

Exploit

Inject payload via vulnerable Acroform methods to execute JavaScript in PDF viewers.

Protection from this CVE

Update to jsPDF 4.1.0; sanitize user inputs.

Impact

Arbitrary JavaScript execution, XSS.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top