jsPDF createAnnotation RCE Vulnerability (CVE-2026-31898)

Vendor-confirmed - CVE-2026-31898 is a high input validation flaw in jsPDF prior to 4.2.1 that grants attackers arbitrary PDF object injection, including auto-executing JavaScript, through the createAnnotation color parameter. Upgrade to version 4.2.1 immediately to block exploit.

Overview

A significant security flaw, identified as CVE-2026-31898, has been discovered in the popular jsPDF library, which is used to generate PDF documents in web browsers and Node.js applications. This vulnerability is rated HIGH with a CVSS score of 8.1. It allows an attacker to inject malicious content into a generated PDF, potentially compromising anyone who opens the file.

What is the Vulnerability?

In simple terms, this is an input validation flaw. Versions of jsPDF prior to 4.2.1 do not properly sanitize user-supplied input passed to the createAnnotation method, specifically through the color parameter. An attacker who can control this input-for example, by submitting a specially crafted form or URL parameter-can inject arbitrary PDF objects.

The most dangerous type of object that can be injected is a JavaScript action. This means the attacker can embed scripts that execute automatically when the PDF is opened or when a user interacts with an annotation (like a link or a note) in the PDF viewer.

Potential Impact

The primary risk is to end-users who open a malicious PDF generated by a vulnerable application. If successful, the injected JavaScript could:

• Redirect the user to phishing or malware-hosting websites.
• Perform actions on behalf of the user within the PDF viewer’s context.
• Potentially exploit other vulnerabilities in the PDF reader software itself.

This vulnerability is particularly concerning for web applications that dynamically generate PDFs from user-contributed data, such as report generators, invoicing systems, or document portals. A single compromised PDF could be used in targeted attacks. For context on how such exploits can lead to data compromise, you can review historical incidents in our breach reports.

Remediation and Mitigation

Immediate action is required to secure applications using jsPDF.

Primary Fix: Update the Library The issue has been patched in jsPDF version 4.2.1. The most effective remediation is to upgrade your project’s jsPDF dependency to this version or later.

npm update jspdf

Workaround: Sanitize Input If an immediate update is not possible, you must implement strict input sanitization. All user-controlled data that is passed to the createAnnotation method-or any method that ultimately calls it-must be validated and sanitized. Treat this input as untrusted and restrict it to expected values (e.g., allow only specific, safe color formats).

Next Steps

1. Inventory all applications and services that use the jsPDF library.
2. Prioritize updating public-facing web applications that generate PDFs from user input.
3. Test the updated library in your development environment before deploying to production.

Staying informed about such vulnerabilities is crucial for maintaining security. For the latest updates on threats and patches, follow our security news.