CVE-2026-24040
Race Condition in jsPDF addJS Causes Cross-User Data Leakage
Publication date: 2026-02-02
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parall | jspdf | to 4.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the jsPDF library prior to version 4.1.0, specifically in the addJS method of the Node.js build. The method uses a shared module-scoped variable to store JavaScript content, which is shared across all requests in a concurrent environment like a Node.js web server. When multiple requests generate PDFs simultaneously, the JavaScript content for one user can be overwritten by another request before the PDF is generated. This causes Cross-User Data Leakage, where a PDF generated for one user may contain JavaScript and sensitive data intended for another user.
How can this vulnerability impact me? :
This vulnerability can lead to Cross-User Data Leakage, meaning that sensitive information intended for one user could be exposed to another user through the generated PDF documents. This can compromise user privacy and data security, especially in server-side environments where multiple PDF generation requests are handled concurrently.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the jsPDF library to version 4.1.0 or later, as this version contains the fix for the vulnerability. Avoid using vulnerable versions of jsPDF in concurrent server-side environments to prevent cross-user data leakage.