Vulnerabilities

 4 via 4 paths

Dependencies

 17

Source

 GitHub

Commit

 0be0c391

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 2
  • 1
  • 1
Status
  • 4
  • 0
  • 0

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: jspdf
  • Introduced through: jspdf@4.0.0

Detailed paths

  • Introduced through: svgedit@SVG-Edit/svgedit#0be0c3916c0ed453a64916f35f12cd453f890605 jspdf@4.0.0
    Remediation: Upgrade to jspdf@4.1.0.

Overview

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage and html methods when processing BMP image data with unvalidated dimensions. An attacker can cause excessive memory allocation and application unavailability by supplying a BMP file with large width or height values.

Workaround

This vulnerability can be mitigated by sanitizing image data or URLs before passing them to the affected methods.

PoC

import { jsPDF } from "jspdf" 

// malicious BMP image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "BMP", 0, 0, 100, 100);

Remediation

Upgrade jspdf to version 4.1.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Improper Encoding or Escaping of Output

  • Vulnerable module: jspdf
  • Introduced through: jspdf@4.0.0

Detailed paths

  • Introduced through: svgedit@SVG-Edit/svgedit#0be0c3916c0ed453a64916f35f12cd453f890605 jspdf@4.0.0
    Remediation: Upgrade to jspdf@4.1.0.

Overview

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, or AcroFormRadioButton.appearanceState functions. An attacker can execute arbitrary JavaScript code in the PDF reader's context by injecting malicious PDF objects, such as JavaScript actions, which are triggered when the user opens the PDF document.

Workaround

This vulnerability can be mitigated by sanitizing user input before passing it to the affected API members.

PoC

import { jsPDF } from "jspdf"
const doc = new jsPDF();

var choiceField = new doc.AcroFormChoiceField();
choiceField.T = "VulnerableField";
choiceField.x = 20;
choiceField.y = 20;
choiceField.width = 100;
choiceField.height = 20;

// PAYLOAD:
// 1. Starts with "/" to bypass escaping.
// 2. "dummy]" closes the array.
// 3. "/AA" injects an Additional Action (Focus event).
// 4. "/JS" executes arbitrary JavaScript.
const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage [";

choiceField.addOption(payload);
doc.addField(choiceField);

doc.save("test.pdf");

Remediation

Upgrade jspdf to version 4.1.0 or higher.

References

Improper Encoding or Escaping of Output vulnerability report

medium severity
new

XML Injection

  • Vulnerable module: jspdf
  • Introduced through: jspdf@4.0.0

Detailed paths

  • Introduced through: svgedit@SVG-Edit/svgedit#0be0c3916c0ed453a64916f35f12cd453f890605 jspdf@4.0.0
    Remediation: Upgrade to jspdf@4.1.0.

Overview

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to XML Injection via the addMetadata function. An attacker can compromise the integrity of generated PDF files by injecting arbitrary XML into the XMP metadata, potentially spoofing document authorship or other metadata fields.

Workaround

Sanitize user input, e.g., escaping XML entities before passing it to the addMetadata method.

PoC

import { jsPDF } from "jspdf"

const doc = new jsPDF()

// Input a string that closes the current XML tag and opens a new one.
// We are injecting a fake "dc:creator" (Author) to spoof the document source.
const maliciousInput = '</jspdf:metadata></rdf:Description>' +
    '<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' +
    '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity
    '</rdf:Description>' +
    '<rdf:Description><jspdf:metadata>'

// The application innocently adds the user's input to the metadata
doc.addMetadata(maliciousInput, "http://valid.namespace")

doc.save("test.pdf")

Remediation

Upgrade jspdf to version 4.1.0 or higher.

References

XML Injection vulnerability report

low severity
new

Race Condition

  • Vulnerable module: jspdf
  • Introduced through: jspdf@4.0.0

Detailed paths

  • Introduced through: svgedit@SVG-Edit/svgedit#0be0c3916c0ed453a64916f35f12cd453f890605 jspdf@4.0.0
    Remediation: Upgrade to jspdf@4.1.0.

Overview

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Race Condition in the addJS function due to the use of a shared module-scoped variable for storing JavaScript content. An attacker can cause sensitive data intended for one user to be included in another user's PDF by making concurrent requests that exploit the shared state.

Note: This is only exploitable when used in a concurrent environment, e.g., on a Node.js web server.

Workaround

This vulnerability can be mitigated by avoiding the use of the addJS method in concurrent server-side environments or by ensuring requests are processed sequentially, such as with a queue.

Remediation

Upgrade jspdf to version 4.1.0 or higher.

References

Race Condition vulnerability report