CVE-2026-24133

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.1.0

Description jsPDF is a JavaScript library used to generate PDFs. A flaw exists where user-controlled input to the addImage method can lead to a denial of service. Specifically, providing a malicious BMP image with large width and/or height values in its header can cause excessive memory allocation, resulting in out-of-memory errors. The html method is also affected by this issue. The addImage function is vulnerable due to the lack of sanitization of image data or URLs. An example attack involves providing malicious BMP image data as the first argument to the addImage function.

Recommendations Update to jsPDF version 4.1.0 or later. Sanitize image data or URLs before passing them to the addImage method or the html method.