Critical Vulnerability in jsPDF Exposes Sensitive Data via Local File Inclusion
A severe vulnerability in the jsPDF library, tracked as CVE-2025-68428 (CVSS 9.2), allows attackers to steal sensitive files from the local filesystem by embedding them in generated PDFs. The flaw stems from a local file inclusion and path traversal issue in jsPDF versions prior to 4.0.0, where unsanitized user input passed to the loadFile function enables unauthorized file access.
The jsPDF library, widely used for JavaScript-based PDF generation, has over 3.5 million weekly downloads on npm. The vulnerability affects Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js), where the loadFile function—used for reading local files—can be exploited if file paths are dynamically controlled by users. Additional methods, including addImage, html, and addFont, are also impacted, as they internally call loadFile.
Exploitation risk is mitigated if file paths are hardcoded, sourced from trusted configurations, or restricted via allowlists. However, the jsPDF team warns that the vulnerability could be actively exploited given the library’s widespread adoption.
The issue was patched in jsPDF 4.0.0, which restricts filesystem access by default and relies on Node.js’s experimental permission model. For full protection, developers are advised to use Node.js 22.13.0, 23.5.0, or 24.0.0 and later, as earlier versions lack stable permission controls. While enabling the --permission flag is a suggested workaround, it applies globally to the Node.js process, not just jsPDF. Overly permissive --allow-fs-read configurations may also undermine the fix.
For older Node.js versions, the jsPDF team recommends sanitizing user-provided paths before passing them to the library. Security firm Endor Labs highlighted the flaw in a technical report, emphasizing the need for strict input validation to prevent exploitation.
Parallax cybersecurity rating report: https://www.rankiteo.com/company/parallax-agency
"id": "PAR1767828718",
"linkid": "parallax-agency",
"type": "Vulnerability",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'jsPDF Library Users',
'size': '3.5 million weekly downloads (npm registry)',
'type': 'Software Library'}],
'attack_vector': "User-controlled input passed as file path to jsPDF's "
"'loadFile' function",
'data_breach': {'data_exfiltration': 'Yes (via generated PDFs)',
'personally_identifiable_information': 'Possible (if PII '
'files are accessed)',
'sensitivity_of_data': 'High (if sensitive files are '
'accessed)',
'type_of_data_compromised': 'Local filesystem data '
'(potentially sensitive files)'},
'description': 'The jsPDF library for generating PDF documents in JavaScript '
'applications is vulnerable to a critical vulnerability that '
'allows an attacker to steal sensitive data from the local '
'filesystem by including it in generated files. The flaw is a '
'local file inclusion and path traversal that allows passing '
'unsanitized paths to the file loading mechanism (loadFile) in '
'jsPDF versions before 4.0.0.',
'impact': {'data_compromised': 'Sensitive data from local filesystem',
'identity_theft_risk': 'High (if PII is exposed)',
'payment_information_risk': 'High (if payment data is exposed)',
'systems_affected': 'Applications using vulnerable versions of '
'jsPDF (Node.js builds)'},
'lessons_learned': 'Importance of input sanitization, restricting filesystem '
'access, and using Node.js permission mode for security.',
'post_incident_analysis': {'corrective_actions': 'Restrict filesystem access '
'by default, enforce input '
'sanitization, and use '
'Node.js permission mode',
'root_causes': 'Unsanitized user-controlled input '
"passed to jsPDF's 'loadFile' "
'function, allowing path traversal '
'and local file inclusion'},
'recommendations': ['Upgrade to jsPDF v4.0.0 or later',
'Sanitize user-provided paths before passing them to '
'jsPDF',
'Use Node.js versions 22.13.0, 23.5.0, or 24.0.0+ with '
'permission mode enabled',
'Avoid overly broad filesystem permissions in '
"'--allow-fs-read'",
'Implement strict allowlists for file paths'],
'references': [{'source': 'Parallax'},
{'source': 'Endor Labs'},
{'source': 'jsPDF Security Bulletin'}],
'response': {'containment_measures': 'Restricting filesystem access by '
'default in jsPDF v4.0.0',
'remediation_measures': 'Upgrade to jsPDF v4.0.0 or later, '
'sanitize user-provided paths, use '
'Node.js permission mode (versions '
'22.13.0, 23.5.0, or 24.0.0+)'},
'title': 'Critical Local File Inclusion Vulnerability in jsPDF Library '
'(CVE-2025-68428)',
'type': 'Local File Inclusion / Path Traversal',
'vulnerability_exploited': 'CVE-2025-68428'}