chore(deps): update dependency jspdf to v4.2.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jspdf	4.1.0 → 4.2.0

GitHub Vulnerability Alerts

CVE-2026-25535

Impact

User control of the first argument of the addImage method results in denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious GIF image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "GIF", 0, 0, 100, 100);

Patches

The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md

CVE-2026-25755

Impact

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";

doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");

Patches

The vulnerability has been fixed in jspdf@4.2.0.

Workarounds

Escape parentheses in user-provided JavaScript code before passing them to the addJS method.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

CVE-2026-25940

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.

• AcroformChildClass.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

const group = new doc.AcroFormRadioButton();
group.x = 10; group.y = 10; group.width = 20; group.height = 10;
doc.addField(group);

const child = group.createOption("opt1");
child.x = 10; child.y = 10; child.width = 20; child.height = 10;
child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>";

doc.save("test.pdf");

Patches

The vulnerability has been fixed in jsPDF@4.2.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

---

Release Notes

parallax/jsPDF (jspdf)

v4.2.0

Compare Source

This release fixes three security issues.

What's Changed

• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children) vulnerability.
• Fix Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions vulnerability.
• Fix PDF Object Injection via Unsanitized Input in addJS Method vulnerability.
• Add "default" property to export section in package.json by @​stefan-schweiger in #​3953

New Contributors

• @​stefan-schweiger made their first contribution in #​3953

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.