"The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files. The flaw is a local file inclusion and path traversal that allows passing unsanitized paths to the file loading mechanism (loadFile) in jsPDF versions before 4.0. It is tracked as CVE-2025-68428 and received a severity score of 9.2."
"In jsPDF's Node.js builds, the 'loadFile' function is used for reading the local filesystem. The problem arises when user-controlled input is passed as the file path, causing jsPDF to incorporate into the generated PDF output the content of the file. Other file loading methods are also affected, including 'addImage', 'html', and 'addFont', as all can call the loadFile function. According to the jsPDF security bulletin, the issue only affects the Node.js builds of the library, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files."
A local file inclusion and path traversal flaw in jsPDF Node.js builds lets attacker-controlled file paths be passed to loadFile, causing local files to be embedded into generated PDFs. The vulnerability affects multiple file-loading methods including addImage, html, and addFont because they can call loadFile. The issue carries a 9.2 severity score and is tracked as CVE-2025-68428. The vulnerability was fixed in jsPDF 4.0.0 by restricting filesystem access by default and relying on Node.js permission mode, though that mode is experimental in Node 20 and broader Node versions and flags require careful configuration.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]