jsPDF PDF Object Injection Vulnerability in addJS Method

A PDF object injection vulnerability exists in the jsPDF library, specifically in versions through 4.1.0. The issue arises in the addJS method, where user input is not properly sanitized before being added to the PDF stream. This lack of sanitation allows attackers to escape the JavaScript string delimiter and inject arbitrary PDF objects, such as actions or metadata, into the document. The injected objects can execute malicious actions or alter the document structure, affecting users who open the PDF.

Impact

Exploitation of this vulnerability allows for PDF object injection, bypassing security restrictions in PDF viewers. This could lead to unauthorized execution of actions, manipulation of document metadata, or phishing attacks.

Reproduction

To reproduce this vulnerability, create a new jsPDF document and use the addJS method to inject a payload that escapes the JavaScript string delimiter. The payload can include PDF actions or objects, such as an 'Additional Action' that triggers an alert when the PDF is opened.

Remediation

Upgrade jsPDF to version 4.2.0 or later. Additionally, escape parentheses and backslashes in user-provided JavaScript input before using the addJS method.