jsPDF, Race Condition Vulnerability, CVE-2025-1102 (Medium)

Listen to this Post

The vulnerability exists in the `addJS` method of the jsPDF library in its Node.js build. A module-scoped variable named `text` is used to temporarily store JavaScript content before it is written into the PDF document. When multiple jsPDF document instances are created concurrently, such as in a Node.js web server handling simultaneous requests, all instances share this single global variable. If User A’s request calls addJS, it sets the shared `text` variable. Before User A’s document is finalized and saved, if User B’s request also calls addJS, it overwrites the same variable. When User A’s PDF generation completes, it embeds the JavaScript content from the shared variable, which now contains User B’s data, leading to cross-user data leakage. The flaw is a classic race condition where the shared state is not isolated per document instance.
Platform: jsPDF
Version: < 4.0.1
Vulnerability: Race Condition
Severity: Medium
date: 2025-01-15

Prediction: Patch expected 2025-01-22

What Undercode Say:

$ npm list jspdf
myapp@ /projects/app
└── [email protected]
// exploit-simulate.js
const { jsPDF } = require("jspdf");
const simulateRace = async () => {
const doc1 = new jsPDF();
const doc2 = new jsPDF();
doc1.addJS('console.log("USER_A_TOKEN");');
// Simulate concurrent overwrite
doc2.addJS('console.log("USER_B_TOKEN");');
// doc1.save() would now embed USER_B_TOKEN
};
Check for vulnerable version
$ npm audit | grep jspdf

How Exploit:

An attacker does not actively inject data but benefits from the race condition. By frequently making requests to a server that generates PDFs using addJS, they increase the probability that their JavaScript payload (which could contain stolen data or identifiers) overwrites the shared variable and leaks into another user’s generated PDF document.

Protection from this CVE:

Upgrade to jsPDF version 4.0.1 or later. The patch moves the `text` variable into the function scope of addJS, ensuring isolation per call. If an immediate upgrade is not possible, implement a server-side request queue to process PDF generation jobs sequentially, preventing concurrent execution of the vulnerable method.

Impact:

Cross-user data leakage. Sensitive information intended for one user can appear in another user’s generated PDF file. This is primarily a risk in server-side (Node.js) deployments of jsPDF.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top