jspdf 4.1.0

Direct Vulnerabilities

Known vulnerabilities in the jspdf package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in `jspdf.js`, when user-controlled values are passed to the `options` argument, then included unsanitized in the generated HTML and opened by another user. An attacker can cause the execution of scripts in the victim's browser context by supplying malicious input to the `pdfObjectUrl` option for `"pdfobjectnewwindow"`, the `pdfJsUrl` and `filename` options for `"pdfjsnewwindow"`, and the `filename` option for `"dataurlnewwindow"`. How to fix Cross-site Scripting (XSS)? Upgrade `jspdf` to version 4.2.1 or higher.	<4.2.1
M Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `createAnnotation()` method, whose `color` parameter can be injected with script objects. An attacker can inject PDF objects as freetext annotations, which may be executed when a user opens the file. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.2.1 or higher.	<4.2.1
H Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `appearanceState` property of the `AcroForm` module. An attacker can execute arbitrary JavaScript code in the context of the PDF viewer by injecting malicious input into this property, which is then triggered when a victim interacts with a crafted PDF file. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.2.0 or higher.	<4.2.0
H Allocation of Resources Without Limits or Throttling jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `addImage` and `html` methods. An attacker can cause excessive memory allocation and application unavailability by supplying malicious GIF files with large width or height values as image data or URLs. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `jspdf` to version 4.2.0 or higher.	<4.2.0
H Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `addJS` method. An attacker can inject arbitrary PDF objects and execute malicious actions or alter the document structure by supplying specially crafted input that escapes the JavaScript string delimiter. This can impact any user who opens the generated PDF. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.2.0 or higher.	<4.2.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)