CVE-2026-24040
Unknown Unknown - Not Provided
Race Condition in jsPDF addJS Causes Cross-User Data Leakage

Publication date: 2026-02-02

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in [email protected].
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24040
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parall jspdf to 4.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the jsPDF library prior to version 4.1.0, specifically in the addJS method of the Node.js build. The method uses a shared module-scoped variable to store JavaScript content, which is shared across all requests in a concurrent environment like a Node.js web server. When multiple requests generate PDFs simultaneously, the JavaScript content for one user can be overwritten by another request before the PDF is generated. This causes Cross-User Data Leakage, where a PDF generated for one user may contain JavaScript and sensitive data intended for another user.

Impact Analysis

This vulnerability can lead to Cross-User Data Leakage, meaning that sensitive information intended for one user could be exposed to another user through the generated PDF documents. This can compromise user privacy and data security, especially in server-side environments where multiple PDF generation requests are handled concurrently.

Mitigation Strategies

Upgrade the jsPDF library to version 4.1.0 or later, as this version contains the fix for the vulnerability. Avoid using vulnerable versions of jsPDF in concurrent server-side environments to prevent cross-user data leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart