Listen to this Post
The vulnerability exploits the `addMetadata` function in jsPDF, where the first argument is user-controlled and unsanitized, allowing arbitrary XML injection into the XMP metadata of generated PDFs. Attackers can close existing XML tags and inject new metadata entries, such as spoofed author information, by crafting malicious input strings. When this manipulated PDF is signed, stored, or processed, the integrity of the document is compromised, as the injected metadata alters the perceived source and properties. The attack leverages the fact that the function does not escape XML entities, enabling XML injection through input that includes closing and opening tags. For example, a user can inject a false “dc:creator” field to impersonate a trusted entity. This vulnerability is particularly severe in scenarios where PDFs are used for verification or auditing, as the tampering may go undetected. The issue stems from insufficient input validation, treating user input as raw XML within the PDF’s metadata structure. By controlling the `addMetadata` parameter, an attacker can embed any XMP data, potentially leading to misinformation, fraud, or system compromises depending on downstream processing. The injected XML persists in the PDF file, affecting all subsequent uses. This flaw exists in versions prior to 4.1.0, where the function trusted input without sanitization.
Platform: jsPDF
Version: < 4.1.0
Vulnerability : XML Injection
Severity: Critical
date: Unknown
Prediction: Patched 2024-01-01
What Undercode Say:
Analytics
npm list jspdf
import { jsPDF } from "jspdf";
const doc = new jsPDF();
const maliciousInput = '</jspdf:metadata></rdf:Description>' +
'<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' +
'<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' +
'</rdf:Description>' +
'<rdf:Description><jspdf:metadata>';
doc.addMetadata(maliciousInput, "http://valid.namespace");
doc.save("test.pdf");
How Exploit:
Craft malicious XML input to addMetadata, injecting spoofed metadata into PDFs, compromising integrity when signed or stored.
Protection from this CVE
Update to [email protected]; sanitize user input by escaping XML entities before passing to addMetadata.
Impact:
PDF integrity loss, metadata spoofing, potential fraud in document verification.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

