CVE-2026-25535

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.0

Description jsPDF is a JavaScript library used to generate PDFs. A flaw exists where user-controlled input to the addImage method can lead to denial of service. Specifically, providing a malicious GIF file with large width and/or height values in its header can cause excessive memory allocation, resulting in out-of-memory errors. The html method is also affected. An example attack vector involves using the addImage function with a crafted payload containing harmful GIF image data. The addImage function takes a payload as its first argument.

Recommendations jsPDF versions prior to 4.2.0 should be upgraded to version 4.2.0 or later. As a workaround, sanitize image data or URLs before passing them to the addImage method or the html method.