CVE-2026-24043

N/A Unknown

📋 TL;DR

This vulnerability in jsPDF allows attackers to inject arbitrary XML metadata into generated PDFs by controlling the first argument of the addMetadata function. This compromises PDF integrity, particularly affecting signed documents. Applications using jsPDF versions before 4.1.0 that allow user input to the addMetadata method are vulnerable.

💻 Affected Systems

Products:
  • jsPDF
Versions: All versions prior to 4.1.0
Operating Systems: All platforms using JavaScript/Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable if applications pass user-controlled input to the addMetadata method without sanitization.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Compromised PDF integrity leads to invalidated digital signatures, enabling document tampering, fraud, or bypassing document validation systems that rely on PDF signatures.

🟠

Likely Case

Injection of malicious metadata that could trigger parsing issues in downstream PDF processors or cause unexpected behavior in applications that read PDF metadata.

🟢

If Mitigated

Limited impact if input validation prevents user control of addMetadata arguments or if PDFs are not signed or processed after generation.

🌐 Internet-Facing: MEDIUM - Web applications generating PDFs from user input could be exploited, but requires specific conditions and user interaction.
🏢 Internal Only: LOW - Internal applications typically have more controlled input and less exposure to malicious actors.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user input to reach the vulnerable addMetadata function, which depends on application implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0

Vendor Advisory: https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422

Restart Required: No

Instructions:

1. Update jsPDF dependency to version 4.1.0 or later. 2. For npm: 'npm update jspdf'. 3. For yarn: 'yarn upgrade jspdf'. 4. Verify the update in package.json.

🔧 Temporary Workarounds

Input Sanitization

all

Implement strict input validation and sanitization for any user-provided data passed to the addMetadata method.

Avoid User-Controlled Metadata

all

Do not allow user input to control the first argument of addMetadata; use hardcoded or server-controlled values instead.

🧯 If You Can't Patch

  • Implement strict input validation to reject or sanitize XML special characters in user input before passing to addMetadata.
  • Disable or restrict the addMetadata functionality if not essential for your application.

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/jspdf/package.json for version number. If version is less than 4.1.0, the system is vulnerable if using addMetadata with user input.

Check Version:

npm list jspdf | grep jspdf

Verify Fix Applied:

Confirm jsPDF version is 4.1.0 or higher in package.json and test that user input to addMetadata no longer allows XML injection.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PDF generation errors, unexpected XML parsing in PDF metadata, or anomalies in PDF signature validation logs.

Network Indicators:

  • Increased PDF generation requests with unusual parameters, particularly to endpoints that generate PDFs with metadata.

SIEM Query:

Search for application logs containing 'addMetadata' with user-provided parameters or PDF generation errors related to XML parsing.

📊 Metadata

CVE ID: CVE-2026-24043
CVSS v3 Score: N/A (Unknown)
CWE: CWE-74
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This