Critical JsPDF Flaw Lets Hackers Steal Secrets via Generated PDFs
Summary:
A critical vulnerability, tracked as CVE-2025-68428 (CVSS 9.2), has been identified in the popular JavaScript library jsPDF, specifically affecting its Node.js builds prior to version 4.0.0. The flaw is a local file inclusion (LFI) and path traversal issue that stems from improper sanitization of file paths within the loadFile method, which is internally utilized by widely used APIs such as addImage, html, and addFont. If an application accepts user-controlled input, such as a filename or image path, and passes it directly into these functions, an attacker can supply a crafted path The library then retrieves the targeted file from the server's filesystem and embeds its raw contents verbatim into the generated PDF document. This allows a remote, unauthenticated attacker to exfiltrate sensitive data, including credentials, private keys, and environment variables, through the application's normal PDF output.
Security Officer Comments:
This vulnerability represents a significant supply chain risk due to the ubiquity of jsPDF, which sees over 3.5 million weekly downloads. Because this flaw resides in the server-side Node.js implementation rather than the browser-side version, it directly exposes the underlying infrastructure of any organization using JavaScript-based backend services for document generation. The impact is particularly high for sectors that handle automated reporting, invoicing, or data export features, as these often rely on user-provided metadata to populate documents. If your organization operates a Node.js environment where users can "upload" logos or "customize" PDF templates, you are likely at immediate risk. Furthermore, while the fix in version 4.0.0 is robust, it relies on Node’s experimental "Permission Mode" for full effectiveness; organizations running older, long-term support (LTS) versions of Node.js may find themselves in a "gap" where simple library updates are insufficient without upgrading the entire runtime or implementing manual input validation.
Suggested Corrections:
To address this vulnerability, the primary recommendation is to upgrade to jsPDF version 4.0.0 immediately.
Updating to jsPDF 4.0.0 addresses the issue but comes with some caveats:
https://www.endorlabs.com/learn/cve-2025-68428-critical-path-traversal-in-jspdf
A critical vulnerability, tracked as CVE-2025-68428 (CVSS 9.2), has been identified in the popular JavaScript library jsPDF, specifically affecting its Node.js builds prior to version 4.0.0. The flaw is a local file inclusion (LFI) and path traversal issue that stems from improper sanitization of file paths within the loadFile method, which is internally utilized by widely used APIs such as addImage, html, and addFont. If an application accepts user-controlled input, such as a filename or image path, and passes it directly into these functions, an attacker can supply a crafted path The library then retrieves the targeted file from the server's filesystem and embeds its raw contents verbatim into the generated PDF document. This allows a remote, unauthenticated attacker to exfiltrate sensitive data, including credentials, private keys, and environment variables, through the application's normal PDF output.
Security Officer Comments:
This vulnerability represents a significant supply chain risk due to the ubiquity of jsPDF, which sees over 3.5 million weekly downloads. Because this flaw resides in the server-side Node.js implementation rather than the browser-side version, it directly exposes the underlying infrastructure of any organization using JavaScript-based backend services for document generation. The impact is particularly high for sectors that handle automated reporting, invoicing, or data export features, as these often rely on user-provided metadata to populate documents. If your organization operates a Node.js environment where users can "upload" logos or "customize" PDF templates, you are likely at immediate risk. Furthermore, while the fix in version 4.0.0 is robust, it relies on Node’s experimental "Permission Mode" for full effectiveness; organizations running older, long-term support (LTS) versions of Node.js may find themselves in a "gap" where simple library updates are insufficient without upgrading the entire runtime or implementing manual input validation.
Suggested Corrections:
To address this vulnerability, the primary recommendation is to upgrade to jsPDF version 4.0.0 immediately.
Updating to jsPDF 4.0.0 addresses the issue but comes with some caveats:
- It requires Node.js with permission mode, introduced experimentally in v20.0.0 and stable since v22.13.0/v23.5.0/v24.0.0.
- The recommended approach is to use Node's permission flags so the runtime enforces access
- Be careful not to grant broad read access (e.g., entire filesystem).
- Alternatively, you can allow jsPDF to read specific files by setting jsPDF.allowFsRead in your script, but this is not recommended. See the jsPDF README for details.
https://www.endorlabs.com/learn/cve-2025-68428-critical-path-traversal-in-jspdf