SB2026042734 - Multiple vulnerabilities in jspdf

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-24737)

The vulnerability allows a remote attacker to execute arbitrary JavaScript.

The vulnerability exists due to improper encoding or escaping of output in the AcroForm module when processing unsanitized input passed to affected AcroForm methods or properties. A remote attacker can supply crafted input to inject arbitrary PDF objects and execute arbitrary JavaScript.

User interaction is required to open the crafted PDF document.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-24043)

The vulnerability allows a remote attacker to inject arbitrary XMP metadata into generated PDF documents.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the addMetadata function when processing unsanitized user-supplied metadata input. A remote attacker can supply crafted XML content to inject arbitrary XMP metadata into generated PDF documents.

This can spoof document identity information and undermine the integrity of PDFs that are signed, stored, or otherwise processed afterward.

3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-24133)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the BMPDecoder when parsing user-supplied BMP image data or URLs via the addImage or html methods. A remote attacker can provide a specially crafted BMP file with large width or height header values to cause a denial of service.

The issue can trigger out-of-memory errors through excessive memory allocation.

4) Race condition (CVE-ID: CVE-2026-24040)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to a race condition in the addJS method when generating PDFs concurrently. A remote attacker can trigger simultaneous PDF generation requests to disclose sensitive information.

This can cause a PDF generated for one user to contain JavaScript content and embedded sensitive data intended for another user.

Remediation

Install update from vendor's website.

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328
• https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422
• https://github.com/advisories/GHSA-vm32-vv63-w422
• https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c
• https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
• https://github.com/advisories/GHSA-cjw8-79x6-5cj4