jspdf 2.1.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the jspdf package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in `jspdf.js`, when user-controlled values are passed to the `options` argument, then included unsanitized in the generated HTML and opened by another user. An attacker can cause the execution of scripts in the victim's browser context by supplying malicious input to the `pdfObjectUrl` option for `"pdfobjectnewwindow"`, the `pdfJsUrl` and `filename` options for `"pdfjsnewwindow"`, and the `filename` option for `"dataurlnewwindow"`. How to fix Cross-site Scripting (XSS)? Upgrade `jspdf` to version 4.2.1 or higher.	<4.2.1
M Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `createAnnotation()` method, whose `color` parameter can be injected with script objects. An attacker can inject PDF objects as freetext annotations, which may be executed when a user opens the file. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.2.1 or higher.	<4.2.1
H Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `appearanceState` property of the `AcroForm` module. An attacker can execute arbitrary JavaScript code in the context of the PDF viewer by injecting malicious input into this property, which is then triggered when a victim interacts with a crafted PDF file. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.2.0 or higher.	<4.2.0
H Allocation of Resources Without Limits or Throttling jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `addImage` and `html` methods. An attacker can cause excessive memory allocation and application unavailability by supplying malicious GIF files with large width or height values as image data or URLs. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `jspdf` to version 4.2.0 or higher.	<4.2.0
H Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `addJS` method. An attacker can inject arbitrary PDF objects and execute malicious actions or alter the document structure by supplying specially crafted input that escapes the JavaScript string delimiter. This can impact any user who opens the generated PDF. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.2.0 or higher.	<4.2.0
H Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `AcroformChoiceField.addOption`, `AcroformChoiceField.setOptions`, `AcroFormCheckBox.appearanceState`, or `AcroFormRadioButton.appearanceState` functions. An attacker can execute arbitrary JavaScript code in the PDF reader's context by injecting malicious PDF objects, such as JavaScript actions, which are triggered when the user opens the PDF document. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.1.0 or higher.	<4.1.0
H Allocation of Resources Without Limits or Throttling jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `addImage` and `html` methods when processing BMP image data with unvalidated dimensions. An attacker can cause excessive memory allocation and application unavailability by supplying a BMP file with large width or height values. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `jspdf` to version 4.1.0 or higher.	<4.1.0
L Race Condition jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Race Condition in the `addJS` function due to the use of a shared module-scoped variable for storing JavaScript content. An attacker can cause sensitive data intended for one user to be included in another user's PDF by making concurrent requests that exploit the shared state. Note: This is only exploitable when used in a concurrent environment, e.g., on a Node.js web server. How to fix Race Condition? Upgrade `jspdf` to version 4.1.0 or higher.	<4.1.0
M XML Injection jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to XML Injection via the `addMetadata` function. An attacker can compromise the integrity of generated PDF files by injecting arbitrary XML into the XMP metadata, potentially spoofing document authorship or other metadata fields. How to fix XML Injection? Upgrade `jspdf` to version 4.1.0 or higher.	<4.1.0
C External Control of File Name or Path jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to External Control of File Name or Path via the `loadFile`, `addImage`, `html` and `addFont` functions. An attacker can access and include arbitrary files from the local file system into generated PDFs. How to fix External Control of File Name or Path? Upgrade `jspdf` to version 4.0.0 or higher.	<4.0.0
H Allocation of Resources Without Limits or Throttling jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `addImage` or `html` methods. An attacker can cause excessive CPU utilization and application unresponsiveness by supplying malicious PNG image data or URLs. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `jspdf` to version 3.0.2 or higher.	<3.0.2
H Regular Expression Denial of Service (ReDoS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `addImage()`, `html()`, and `addSvgAsImage()` methods. An attacker can occupy excessive CPU by supplying a malicious data-url. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `jspdf` to version 3.0.1 or higher.	<3.0.1
M Regular Expression Denial of Service (ReDoS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). ReDoS is possible via the addImage function. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `jspdf` to version 2.3.1 or higher.	<2.3.1

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in jspdf.js, when user-controlled values are passed to the options argument, then included unsanitized in the generated HTML and opened by another user. An attacker can cause the execution of scripts in the victim's browser context by supplying malicious input to the pdfObjectUrl option for "pdfobjectnewwindow", the pdfJsUrl and filename options for "pdfjsnewwindow", and the filename option for "dataurlnewwindow".

How to fix Cross-site Scripting (XSS)?

Upgrade jspdf to version 4.2.1 or higher.

<4.2.1

Improper Encoding or Escaping of Output

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the createAnnotation() method, whose color parameter can be injected with script objects. An attacker can inject PDF objects as freetext annotations, which may be executed when a user opens the file.

How to fix Improper Encoding or Escaping of Output?

Upgrade jspdf to version 4.2.1 or higher.

<4.2.1

Improper Encoding or Escaping of Output

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the appearanceState property of the AcroForm module. An attacker can execute arbitrary JavaScript code in the context of the PDF viewer by injecting malicious input into this property, which is then triggered when a victim interacts with a crafted PDF file.

How to fix Improper Encoding or Escaping of Output?

Upgrade jspdf to version 4.2.0 or higher.

<4.2.0

Allocation of Resources Without Limits or Throttling

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage and html methods. An attacker can cause excessive memory allocation and application unavailability by supplying malicious GIF files with large width or height values as image data or URLs.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade jspdf to version 4.2.0 or higher.

<4.2.0

Improper Encoding or Escaping of Output

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the addJS method. An attacker can inject arbitrary PDF objects and execute malicious actions or alter the document structure by supplying specially crafted input that escapes the JavaScript string delimiter. This can impact any user who opens the generated PDF.

How to fix Improper Encoding or Escaping of Output?

Upgrade jspdf to version 4.2.0 or higher.

<4.2.0

Improper Encoding or Escaping of Output

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, or AcroFormRadioButton.appearanceState functions. An attacker can execute arbitrary JavaScript code in the PDF reader's context by injecting malicious PDF objects, such as JavaScript actions, which are triggered when the user opens the PDF document.

How to fix Improper Encoding or Escaping of Output?

Upgrade jspdf to version 4.1.0 or higher.

<4.1.0

Allocation of Resources Without Limits or Throttling

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage and html methods when processing BMP image data with unvalidated dimensions. An attacker can cause excessive memory allocation and application unavailability by supplying a BMP file with large width or height values.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade jspdf to version 4.1.0 or higher.

<4.1.0

Race Condition

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Race Condition in the addJS function due to the use of a shared module-scoped variable for storing JavaScript content. An attacker can cause sensitive data intended for one user to be included in another user's PDF by making concurrent requests that exploit the shared state.

Note: This is only exploitable when used in a concurrent environment, e.g., on a Node.js web server.

How to fix Race Condition?

Upgrade jspdf to version 4.1.0 or higher.

<4.1.0

XML Injection

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to XML Injection via the addMetadata function. An attacker can compromise the integrity of generated PDF files by injecting arbitrary XML into the XMP metadata, potentially spoofing document authorship or other metadata fields.

How to fix XML Injection?

Upgrade jspdf to version 4.1.0 or higher.

<4.1.0

External Control of File Name or Path

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to External Control of File Name or Path via the loadFile, addImage, html and addFont functions. An attacker can access and include arbitrary files from the local file system into generated PDFs.

How to fix External Control of File Name or Path?

Upgrade jspdf to version 4.0.0 or higher.

<4.0.0

Allocation of Resources Without Limits or Throttling

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage or html methods. An attacker can cause excessive CPU utilization and application unresponsiveness by supplying malicious PNG image data or URLs.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade jspdf to version 3.0.2 or higher.

<3.0.2

Regular Expression Denial of Service (ReDoS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the addImage(), html(), and addSvgAsImage() methods. An attacker can occupy excessive CPU by supplying a malicious data-url.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade jspdf to version 3.0.1 or higher.

<3.0.1

Regular Expression Denial of Service (ReDoS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). ReDoS is possible via the addImage function.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade jspdf to version 2.3.1 or higher.

<2.3.1

jspdf@2.1.0 vulnerabilities

PDF Document creation from JavaScript

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically