jsPDF Stored XMP Metadata Injection Vulnerability Allowing Spoofing and Integrity Violation

A vulnerability in jsPDF versions prior to 4.1.0 allows for the injection of arbitrary XMP metadata into generated PDFs. This issue arises from user control over the first argument of the addMetadata function, which can be exploited to inject unsanitized XML. If the modified PDF is signed, stored, or processed afterwards, its integrity cannot be assured.

Impact

Exploitation of this vulnerability allows for the injection of malicious XMP metadata, which can spoof document information and compromise PDF integrity, especially if the file is signed or processed after creation.

Reproduction

To reproduce this vulnerability, use jsPDF version 4.0.0 or earlier. Create a new PDF document and call the addMetadata function with unsanitized input that includes XML markup. Injected data can close existing XML tags and introduce new ones, such as a fake 'dc:creator' element to impersonate a trusted author. After saving the PDF, the injected metadata will be embedded in the document.

Remediation

Users can upgrade to jsPDF version 4.1.0 or later, where this vulnerability has been fixed. Additionally, it is recommended to sanitize metadata inputs by escaping XML entities before using the addMetadata function.