Description
The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests.
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.0.0
- Patched version(s): 4.1.0
References
Related Issues
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
- jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
- jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" pr - CVE-2026-25940
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on February 03, 2026