Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e33fcb757d0a · 2026-02-02T18:29:53.000Z
GHSA-95fx-jjr5-f39c GHSA-vm32-vv63-w422
diff --git a/advisories/github-reviewed/2026/02/GHSA-95fx-jjr5-f39c/GHSA-95fx-jjr5-f39c.json b/advisories/github-reviewed/2026/02/GHSA-95fx-jjr5-f39c/GHSA-95fx-jjr5-f39c.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-95fx-jjr5-f39c",
+  "modified": "2026-02-02T18:29:13Z",
+  "published": "2026-02-02T18:29:13Z",
+  "aliases": [
+    "CVE-2026-24133"
+  ],
+  "summary": "jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder",
+  "details": "### Impact\n\nUser control of the first argument of the `addImage` method results in Denial of Service.\n\nIf given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation.\n\nOther affected methods are: `html`.\n\nExample attack vector:\n\n```js\nimport { jsPDF } from \"jspdf\" \n\n// malicious BMP image data with large width/height headers\nconst payload = ...\n\nconst doc = new jsPDF();\n\ndoc.addImage(payload, \"BMP\", 0, 0, 100, 100);\n```\n\n### Patches\n\nThe vulnerability has been fixed in jsPDF 4.1.0. Upgrade to jspdf@>=4.1.0.\n\n### Workarounds\n\nSanitize image data or URLs before passing it to the addImage method or one of the other affected methods.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jspdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.1.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parallax/jsPDF"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20",
+      "CWE-400",
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-02T18:29:13Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-vm32-vv63-w422/GHSA-vm32-vv63-w422.json b/advisories/github-reviewed/2026/02/GHSA-vm32-vv63-w422/GHSA-vm32-vv63-w422.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vm32-vv63-w422",
+  "modified": "2026-02-02T18:28:29Z",
+  "published": "2026-02-02T18:28:29Z",
+  "aliases": [
+    "CVE-2026-24043"
+  ],
+  "summary": "jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)",
+  "details": "### Impact\n\nUser control of the first argument of the `addMetadata` function allows users to inject arbitrary XML.\n\nIf given the possibility to pass unsanitized input to the `addMetadata` method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed.\n\nExample attack vector:\n\n```js\nimport { jsPDF } from \"jspdf\"\n\nconst doc = new jsPDF()\n\n// Input a string that closes the current XML tag and opens a new one.\n// We are injecting a fake \"dc:creator\" (Author) to spoof the document source.\nconst maliciousInput = '</jspdf:metadata></rdf:Description>' +\n    '<rdf:Description xmlns:dc=\"http://purl.org/dc/elements/1.1/\">' +\n    '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity\n    '</rdf:Description>' +\n    '<rdf:Description><jspdf:metadata>'\n\n// The application innocently adds the user's input to the metadata\ndoc.addMetadata(maliciousInput, \"http://valid.namespace\")\n\ndoc.save(\"test.pdf\")\n```\n\n### Patches\n\nThe vulnerability has been fixed in jsPDF@4.1.0\n\n### Workarounds\n\nSanitize user input before passing it to the `addMetadata` method: escape XML entities. For example:\n\n```js\nlet input = \"...\"\n\ninput = input\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/'/g, \"&apos;\")\n\ndoc.addMetadata(input)\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jspdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.1.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parallax/jsPDF"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20",
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-02T18:28:29Z",
+    "nvd_published_at": null
+  }
+}
