CVE-2026-24040

N/A Unknown

📋 TL;DR

CVE-2026-24040 is a concurrency vulnerability in jsPDF's addJS method that causes cross-user data leakage. When multiple users generate PDFs simultaneously in server-side environments, JavaScript content from one user can appear in another user's PDF. This primarily affects Node.js web servers using jsPDF versions before 4.1.0.

💻 Affected Systems

Products:

• jsPDF

Versions: All versions before 4.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Primarily affects server-side Node.js environments with concurrent PDF generation. Client-side usage may also be vulnerable in multi-threaded scenarios.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive user data (like personal information, authentication tokens, or private content) intended for one user appears in another user's generated PDF, leading to data breaches and privacy violations.

🟠

Likely Case

JavaScript code or embedded data leaks between concurrent PDF generation requests, potentially exposing user-specific information to unauthorized parties.

🟢

If Mitigated

With proper isolation or patching, no data leakage occurs between user sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires concurrent PDF generation requests. No authentication needed as it's a race condition in shared variable usage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0

Vendor Advisory: https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4

Restart Required: Yes

Instructions:

1. Update jsPDF to version 4.1.0 or later using npm: npm update jspdf
2. Restart your Node.js application
3. Verify the update with: npm list jspdf

🔧 Temporary Workarounds

Implement request isolation

all

Ensure PDF generation happens in isolated contexts per request, avoiding shared module variables.

🧯 If You Can't Patch

• Implement rate limiting to reduce concurrent PDF generation requests
• Use separate worker processes for PDF generation with isolated memory spaces

🔍 How to Verify

Check if Vulnerable:

Copy

Check package.json or run: npm list jspdf | grep jspdf

Check Version:

Copy

npm list jspdf

Verify Fix Applied:

Copy

Confirm installed version is 4.1.0 or higher: npm list jspdf

📡 Detection & Monitoring

Log Indicators:

• Multiple concurrent PDF generation requests
• Unexpected JavaScript content in generated PDFs

Network Indicators:

• High volume of PDF generation requests to same endpoint

SIEM Query:

Copy

source="application_logs" AND "PDF generation" AND (concurrent_requests > threshold)

📊 Metadata

CVE ID: CVE-2026-24040

CVSS v3 Score: N/A (Unknown)

CWE: CWE-362

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
• https://github.com/parallax/jsPDF/releases/tag/v4.1.0
• https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4

📤 Share This

Twitter LinkedIn Reddit Copy Link