PT-2025-11639 · Jspdf · Jspdf

Published

2025-03-05

Updated

2025-03-18

CVE-2025-29907

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:C

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 3.0.1

Description The issue allows user control of the first argument of the addImage method, resulting in high CPU utilization and denial of service. If unsanitized image URLs are passed to the addImage method, a user can provide a harmful data-url that causes high CPU utilization and denial of service. Other affected methods include html and addSvgAsImage.

Recommendations For jsPDF versions prior to 3.0.1, upgrade to jsPDF 3.0.1 or later to fix the issue. As a temporary workaround, consider sanitizing image URLs before passing them to the addImage method or other affected methods, such as html and addSvgAsImage.

Exploit

Fix

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

BDU:2025-08460

CVE-2025-29907

GHSA-W532-JXJH-HJHJ

Affected Products

Jspdf

PT-2025-11639 · Jspdf · Jspdf

CVE-2025-29907

Weakness Enumeration

Related Identifiers

Affected Products

References · 14