jsPDF Shared State Race Condition Vulnerability in addJS Method Allows Cross-User Data Leakage

A shared state race condition vulnerability has been identified in the jsPDF library, specifically in versions through 4.0.0. The issue arises in the Node.js build, where the addJS method uses a shared module-scoped variable to store JavaScript content. In concurrent environments, such as a Node.js web server, this variable is accessible across all requests. As a result, if multiple requests to generate PDFs are made simultaneously, the JavaScript content for one user can be overwritten by another, leading to cross-user data leakage. This means that the PDF generated for one user may inadvertently include JavaScript payloads and sensitive data intended for another user. While this vulnerability primarily affects server-side environments, similar race conditions could occur if jsPDF is used client-side.

Impact

Exploitation of this vulnerability causes cross-user data leakage, where a PDF generated for one user contains JavaScript and any embedded sensitive data intended for another user.

Reproduction

To reproduce this vulnerability, create two instances of jsPDF in a Node.js environment. Have User A add a JavaScript payload to their PDF using the addJS method, then have User B add their own payload. When User A saves their PDF, it will contain User B's payload instead of their own, demonstrating the data leakage.

Remediation

Users can upgrade to jsPDF version 4.1.0 or later, where this vulnerability has been fixed. The patch moves the shared variable into the function scope, ensuring that data is not overwritten between different jsPDF instances. For those unable to upgrade, a temporary workaround is to avoid using the addJS method in concurrent server-side environments, or to process requests sequentially using a queue.