CVE-2026-31898
Received Received - Intake
Arbitrary PDF Object Injection in jsPDF createAnnotation

Publication date: 2026-03-18

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to the vulnerable API members.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31898
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parall jspdf to 4.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31898 is a vulnerability in the jsPDF library, which is used to generate PDFs in JavaScript. Prior to version 4.2.1, the `createAnnotation` method allowed user-controlled input, specifically in the `color` parameter for free text annotations, to inject arbitrary PDF objects including malicious JavaScript actions.

This means an attacker can craft a payload that, when passed as the color argument, injects harmful PDF content that might execute when the PDF is opened or interacted with.

The root cause is improper encoding or escaping of output (CWE-116), allowing injection of PDF objects due to unsanitized input.

The vulnerability was fixed in jsPDF version 4.2.1 by validating and sanitizing the color input and escaping annotation style strings to prevent injection.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to injection of arbitrary PDF objects, including JavaScript actions that execute when the PDF is opened or interacted with.'}, {'type': 'paragraph', 'content': "The impact includes high confidentiality and integrity loss, as malicious code could run on the user's system, potentially leading to data exposure or manipulation."}, {'type': 'paragraph', 'content': 'There is no impact on availability, but the attack requires no privileges and has low complexity, making it a significant risk.'}, {'type': 'paragraph', 'content': 'An example attack could launch external programs (e.g., calculator) via injected PDF actions, demonstrating the potential for executing arbitrary commands.'}] [3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves injection of arbitrary PDF objects via the `color` parameter in the `createAnnotation` method of the jsPDF library. Detection involves identifying PDFs generated with vulnerable jsPDF versions (prior to 4.2.1) that contain suspicious or malformed annotation color parameters.'}, {'type': 'paragraph', 'content': 'One practical approach is to inspect PDF files for annotations with unusual or suspicious color values that do not conform to valid hex color codes, especially those containing payloads resembling PDF object injections or JavaScript actions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited by passing crafted payloads to the `color` parameter, you can search for PDFs containing annotation style strings with suspicious patterns such as unexpected parentheses, PDF dictionary entries, or JavaScript keywords.'}, {'type': 'paragraph', 'content': 'Example command to search for suspicious annotation color payloads in PDF files (using grep on Unix-like systems):'}, {'type': 'list_item', 'content': "grep -a -E '/DS.*color:#?[^0-9a-fA-F]{1,}' suspicious.pdf"}, {'type': 'paragraph', 'content': 'Alternatively, you can extract annotation dictionaries from PDFs and look for `/DS` entries with non-hex color values or suspicious injection patterns.'}, {'type': 'paragraph', 'content': 'For network detection, monitor for PDF files generated by jsPDF versions prior to 4.2.1 being transferred or downloaded, and inspect their annotation color parameters for injection payloads.'}] [1, 3]

Mitigation Strategies

The primary mitigation is to upgrade the jsPDF library to version 4.2.1 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, sanitize all user inputs before passing them to the `createAnnotation` method, especially the `color` parameter, ensuring only valid hex color strings are accepted.

Implement input validation to reject or sanitize any input that does not conform to a strict hex color format (3 to 8 hexadecimal characters), and strip any leading `#` characters to prevent malformed color strings.

Avoid passing unsanitized or user-controlled input directly to annotation parameters that affect PDF object creation.

Review and apply any patches or updates provided by the jsPDF maintainers that address this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart