GHSA-XGX4-2WGV-4JHM
Vulnerability from github – Published: 2026-03-20 20:45 – Updated: 2026-03-20 20:45Summary
The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the context of any user who opens the Designer and selects a multiVariableText field with no {variables} in its text.
Details
When a user selects a multiVariableText schema field that contains no {variable} placeholders, the property panel renders instructional text by concatenating i18n-translated strings directly into innerHTML.
Vulnerable sink — packages/schemas/src/multiVariableText/propPanel.ts:65-71:
// Use safe string concatenation for innerHTML
const typingInstructions = i18n('schemas.mvt.typingInstructions');
const sampleField = i18n('schemas.mvt.sampleField');
para.innerHTML =
typingInstructions +
` <code style="color:${safeColorValue}; font-weight:bold;">{` +
sampleField +
'}</code>';
The comment on line 64 claims "safe string concatenation" but the result is assigned to innerHTML with no HTML escaping applied to typingInstructions or sampleField.
i18n lookup has no escaping — packages/ui/src/i18n.ts:903:
export const i18n = (key: keyof Dict, dict?: Dict) => (dict || getDict(DEFAULT_LANG))[key];
This is a plain dictionary lookup — no HTML encoding or sanitization.
Label override via deep merge — packages/ui/src/components/AppContextProvider.tsx:57-63:
let dict = getDict(lang);
if (options.labels) {
dict = deepMerge(
dict as unknown as Record<string, unknown>,
options.labels as unknown as Record<string, unknown>,
) as typeof dict;
}
User-supplied options.labels values are deep-merged into the i18n dictionary with no content sanitization. The Zod schema validates labels as z.record(z.string(), z.string()) — enforcing type but not content safety.
Inconsistency: The color value on lines 58-62 is explicitly validated with a regex allowlist, demonstrating security awareness. The i18n string values were simply overlooked.
PoC
- Create a minimal app that passes attacker-controlled labels:
<html>
<body>
<div id="designer-container" style="width:100%;height:700px;"></div>
<script type="module">
import { Designer } from '@pdfme/ui';
import { multiVariableText } from '@pdfme/schemas';
const template = {
basePdf: { width: 210, height: 297, padding: [10, 10, 10, 10] },
schemas: [[{
type: 'multiVariableText',
name: 'field1',
text: 'plain text with no variables',
content: '{}',
variables: [],
position: { x: 20, y: 20 },
width: 100,
height: 20,
readOnly: true,
}]],
};
new Designer({
domContainer: document.getElementById('designer-container'),
template,
plugins: { multiVariableText },
options: {
labels: {
'schemas.mvt.typingInstructions':
'<img src=x onerror="document.title=document.cookie">Inject: ',
'schemas.mvt.sampleField': 'safe',
},
},
});
</script>
</body>
</html>
-
Open the application in a browser.
-
Click on the multiVariableText field (
field1) in the Designer canvas to select it. -
Observe: The property panel renders the injected HTML. The
onerrorhandler executes, settingdocument.titleto the page's cookies. In a real attack, this would exfiltrate session tokens to an attacker-controlled server.
Impact
- Session hijacking: Attacker-injected JavaScript can steal authentication cookies and tokens from any user who opens the Designer.
- DOM manipulation: The injected script runs in the application's origin, allowing phishing overlays, form hijacking, or data exfiltration.
- Stored XSS potential: In multi-tenant applications where labels are stored in a database or fetched from an API, a single poisoned label entry affects all users who subsequently open the Designer.
- Scope change: The XSS payload executes in the embedding application's browser context, escaping the pdfme component's security boundary.
Recommended Fix
Replace innerHTML with safe DOM APIs in packages/schemas/src/multiVariableText/propPanel.ts:
// BEFORE (vulnerable):
para.innerHTML =
typingInstructions +
` <code style="color:${safeColorValue}; font-weight:bold;">{` +
sampleField +
'}</code>';
// AFTER (safe):
para.appendChild(document.createTextNode(typingInstructions + ' '));
const codeEl = document.createElement('code');
codeEl.style.color = safeColorValue;
codeEl.style.fontWeight = 'bold';
codeEl.textContent = `{${sampleField}}`;
para.appendChild(codeEl);
This ensures that i18n label values are always treated as text content, never parsed as HTML, regardless of their source.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.5.9"
},
"package": {
"ecosystem": "npm",
"name": "@pdfme/schemas"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:45:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe multiVariableText property panel in `@pdfme/schemas` constructs HTML via string concatenation and assigns it to `innerHTML` using unsanitized i18n label values. An attacker who can control label overrides passed through `options.labels` can inject arbitrary JavaScript that executes in the context of any user who opens the Designer and selects a multiVariableText field with no `{variables}` in its text.\n\n## Details\n\nWhen a user selects a multiVariableText schema field that contains no `{variable}` placeholders, the property panel renders instructional text by concatenating i18n-translated strings directly into `innerHTML`.\n\n**Vulnerable sink** \u2014 `packages/schemas/src/multiVariableText/propPanel.ts:65-71`:\n\n```typescript\n// Use safe string concatenation for innerHTML\nconst typingInstructions = i18n(\u0027schemas.mvt.typingInstructions\u0027);\nconst sampleField = i18n(\u0027schemas.mvt.sampleField\u0027);\npara.innerHTML =\n typingInstructions +\n ` \u003ccode style=\"color:${safeColorValue}; font-weight:bold;\"\u003e{` +\n sampleField +\n \u0027}\u003c/code\u003e\u0027;\n```\n\nThe comment on line 64 claims \"safe string concatenation\" but the result is assigned to `innerHTML` with no HTML escaping applied to `typingInstructions` or `sampleField`.\n\n**i18n lookup has no escaping** \u2014 `packages/ui/src/i18n.ts:903`:\n\n```typescript\nexport const i18n = (key: keyof Dict, dict?: Dict) =\u003e (dict || getDict(DEFAULT_LANG))[key];\n```\n\nThis is a plain dictionary lookup \u2014 no HTML encoding or sanitization.\n\n**Label override via deep merge** \u2014 `packages/ui/src/components/AppContextProvider.tsx:57-63`:\n\n```typescript\nlet dict = getDict(lang);\nif (options.labels) {\n dict = deepMerge(\n dict as unknown as Record\u003cstring, unknown\u003e,\n options.labels as unknown as Record\u003cstring, unknown\u003e,\n ) as typeof dict;\n}\n```\n\nUser-supplied `options.labels` values are deep-merged into the i18n dictionary with no content sanitization. The Zod schema validates labels as `z.record(z.string(), z.string())` \u2014 enforcing type but not content safety.\n\n**Inconsistency:** The color value on lines 58-62 is explicitly validated with a regex allowlist, demonstrating security awareness. The i18n string values were simply overlooked.\n\n## PoC\n\n1. **Create a minimal app that passes attacker-controlled labels:**\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cdiv id=\"designer-container\" style=\"width:100%;height:700px;\"\u003e\u003c/div\u003e\n\u003cscript type=\"module\"\u003e\nimport { Designer } from \u0027@pdfme/ui\u0027;\nimport { multiVariableText } from \u0027@pdfme/schemas\u0027;\n\nconst template = {\n basePdf: { width: 210, height: 297, padding: [10, 10, 10, 10] },\n schemas: [[{\n type: \u0027multiVariableText\u0027,\n name: \u0027field1\u0027,\n text: \u0027plain text with no variables\u0027,\n content: \u0027{}\u0027,\n variables: [],\n position: { x: 20, y: 20 },\n width: 100,\n height: 20,\n readOnly: true,\n }]],\n};\n\nnew Designer({\n domContainer: document.getElementById(\u0027designer-container\u0027),\n template,\n plugins: { multiVariableText },\n options: {\n labels: {\n \u0027schemas.mvt.typingInstructions\u0027:\n \u0027\u003cimg src=x onerror=\"document.title=document.cookie\"\u003eInject: \u0027,\n \u0027schemas.mvt.sampleField\u0027: \u0027safe\u0027,\n },\n },\n});\n\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n2. **Open the application in a browser.**\n\n3. **Click on the multiVariableText field** (`field1`) in the Designer canvas to select it.\n\n4. **Observe:** The property panel renders the injected HTML. The `onerror` handler executes, setting `document.title` to the page\u0027s cookies. In a real attack, this would exfiltrate session tokens to an attacker-controlled server.\n\n## Impact\n\n- **Session hijacking:** Attacker-injected JavaScript can steal authentication cookies and tokens from any user who opens the Designer.\n- **DOM manipulation:** The injected script runs in the application\u0027s origin, allowing phishing overlays, form hijacking, or data exfiltration.\n- **Stored XSS potential:** In multi-tenant applications where labels are stored in a database or fetched from an API, a single poisoned label entry affects all users who subsequently open the Designer.\n- **Scope change:** The XSS payload executes in the embedding application\u0027s browser context, escaping the pdfme component\u0027s security boundary.\n\n## Recommended Fix\n\nReplace `innerHTML` with safe DOM APIs in `packages/schemas/src/multiVariableText/propPanel.ts`:\n\n```typescript\n// BEFORE (vulnerable):\npara.innerHTML =\n typingInstructions +\n ` \u003ccode style=\"color:${safeColorValue}; font-weight:bold;\"\u003e{` +\n sampleField +\n \u0027}\u003c/code\u003e\u0027;\n\n// AFTER (safe):\npara.appendChild(document.createTextNode(typingInstructions + \u0027 \u0027));\nconst codeEl = document.createElement(\u0027code\u0027);\ncodeEl.style.color = safeColorValue;\ncodeEl.style.fontWeight = \u0027bold\u0027;\ncodeEl.textContent = `{${sampleField}}`;\npara.appendChild(codeEl);\n```\n\nThis ensures that i18n label values are always treated as text content, never parsed as HTML, regardless of their source.",
"id": "GHSA-xgx4-2wgv-4jhm",
"modified": "2026-03-20T20:45:08Z",
"published": "2026-03-20T20:45:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pdfme/pdfme/security/advisories/GHSA-xgx4-2wgv-4jhm"
},
{
"type": "PACKAGE",
"url": "https://github.com/pdfme/pdfme"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.