Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.
Published: 2026-02-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

jsPDF, a JavaScript PDF generation library, contains a race condition in its addJS method. The method uses a shared variable to store JavaScript content, so when multiple Node.js requests generate PDFs at the same time, one user's JavaScript payload can overwrite another's. The result is that a PDF delivered to User A may contain the JavaScript and sensitive data that were intended for User B, leading to cross‑user data leakage.

Affected Systems

This flaw affects the Parallax jsPDF package in all releases prior to version 4.1.0. The vulnerability is relevant when the library is used in a Node.js environment, such as a web server that serves PDFs on demand. Client‑side use may also experience the race condition, though server‑side exposure is the main concern.

Risk and Exploitability

The flaw carries a CVSS score of 6.3 and an EPSS score of less than 1 %, indicating a moderate severity and low current exploitation probability. It is not listed in the CISA KEV catalog. An attacker who can induce concurrent PDF generation requests to a vulnerable server can cause the shared state to be overwritten, resulting in unintended exposure of JavaScript payloads and any data that the original user provided. The attack vector is inferred to be a concurrent request pattern rather than a remote code execution path. Because the data leakage only occurs when addJS is used, a deliberate or accidental use of the plugin can trigger the vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 00:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the jsPDF library to version 4.1.0 or later, the official fix for the shared‑state race condition.
  • If an upgrade cannot be performed immediately, disable or remove usage of the addJS plugin from the PDF generation flow so that no shared state is written.
  • Restart or reload the Node.js application after disabling the plugin or upgrading, and verify that generated PDFs no longer contain unintended JavaScript content.

Generated by OpenCVE AI on April 18, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cjw8-79x6-5cj4 jsPDF has Shared State Race Condition in addJS Plugin
History

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N'}

threat_severity

Moderate

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.
Title jsPDF has a Shared State Race Condition in addJS Plugin
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T15:30:05.465Z

Reserved: 2026-01-20T22:30:11.777Z

Link: CVE-2026-24040

cve-icon Vulnrichment

Updated: 2026-02-03T15:29:57.853Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:07.660

Modified: 2026-02-18T14:42:05.087

Link: CVE-2026-24040

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-02T20:38:24Z

Links: CVE-2026-24040 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses