CVE-2025-68428

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.0.0

Description jsPDF, a JavaScript library for generating PDFs, has a critical flaw in its Node.js builds. Prior to version 4.0.0, the loadFile, addImage, html, and addFont methods are susceptible to local file inclusion and path traversal. This allows an attacker to read arbitrary files from the system where the Node.js process is running, and embed the contents of those files into the generated PDF. The vulnerability occurs when unsanitized paths are passed to the loadFile method. The issue affects the dist/jspdf.node.js and dist/jspdf.node.min.js files. Reports indicate that attackers are actively exploiting this flaw to extract sensitive data, including configurations and credentials, from compromised servers.

Recommendations Upgrade to jsPDF version 4.0.0 or later. For older Node.js versions, sanitize user-provided paths before passing them to jsPDF. With recent Node.js versions (22.13.0/23.5.0/24.0.0 and later), consider using the --permission flag in production.