Listen to this Post
The vulnerability exploits insufficient input sanitization in the Acroform module of jsPDF, allowing attackers to inject arbitrary PDF objects through user-controlled properties and methods. Specifically, the vulnerable API members—AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState—do not properly escape or validate input. When unsanitized data is passed to these methods, it can embed malicious PDF objects like JavaScript actions into the generated PDF. The injection bypasses escaping by using a payload that starts with “/” to avoid string processing, closes an array with “dummy]”, and injects an Additional Action (“/AA”) with JavaScript (“/JS”) for execution. For example, via addOption, a payload such as “/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert(‘XSS’)) >> >> /Garbage [” is inserted into the PDF structure. When a victim opens the crafted PDF, the embedded JavaScript executes in the PDF viewer context, leading to cross-site scripting (XSS) or other compromises. This occurs because the Acroform module incorrectly parses these inputs as part of the PDF object stream, allowing arbitrary code to be included in actions triggered by events like focus. The vulnerability stems from a lack of validation for special characters and PDF object boundaries, enabling attackers to manipulate the PDF’s internal dictionary and array structures. Fixed in version 4.1.0 by implementing proper sanitization to escape or reject dangerous sequences in these API calls.
Platform: jsPDF
Version: Before 4.1.0
Vulnerability: Acroform injection
Severity: Critical
date: Not disclosed
Prediction: Fixed in 4.1.0
What Undercode Say:
Analytics
No bash commands provided in ; refer to JavaScript code.
import { jsPDF } from "jspdf"
const doc = new jsPDF();
var choiceField = new doc.AcroFormChoiceField();
choiceField.T = "VulnerableField";
choiceField.x = 20;
choiceField.y = 20;
choiceField.width = 100;
choiceField.height = 20;
const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage [";
choiceField.addOption(payload);
doc.addField(choiceField);
doc.save("test.pdf");
Exploit
Inject payload via vulnerable Acroform methods to execute JavaScript in PDF viewers.
Protection from this CVE
Update to jsPDF 4.1.0; sanitize user inputs.
Impact
Arbitrary JavaScript execution, XSS.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

