The flaw, tracked as CVE-2025-68428, exposes applications running the Node.js build of the library to Local File Inclusion (LFI) and Path Traversal attacks.
If left unpatched, this vulnerability allows remote attackers to read sensitive files from the server’s file system and embed their contents directly into generated PDFs.
The vulnerability stems from improper handling of file paths in specific methods within the Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js).
According to the security advisory published by GitHub researcher kilkat (Kwangwoon Kim), the library fails to sanitize user inputs passed to the loadFile, addImage, html, and addFont methods.
In a real-world attack scenario, a threat actor could manipulate input to reference critical system files.
For example, by passing a path like ../../etc/passwd or config.json into the addImage In a function, the application would unknowingly retrieve the file’s contents and render them verbatim in the final PDF document.
Because the attack requires no user interaction or elevated privileges, it has been assigned a Critical severity rating.
The flaw specifically affects jsPDF versions 3.0.4 and earlier. While client-side (browser) implementations are generally isolated by browser security models, server-side Node.js implementations are at high risk.
The CVSS 4.0 assessment highlights a “High” impact on confidentiality, as attackers can exfiltrate secrets, configuration data, or source code accessible to the Node.js process.
The maintainers have released jsPDF version 4.0.0 to address this issue. This major update changes the default behavior by restricting file-system access, effectively neutralizing the path-traversal vector.
Developers are strongly urged to upgrade to version 4.0.0 immediately. If an upgrade is not feasible, the following workarounds are recommended:
--permission flag to restrict file system read access at the process level.| Metric | Details |
|---|---|
| CVE ID | CVE-2025-68428 |
| Vulnerability Type | Local File Inclusion (LFI) / Path Traversal |
| Affected Software | jsPDF (Node.js builds) |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post Critical Flaw in jsPDF Library Allows Attackers to Read Arbitrary Files appeared first on Cyber Security News.
Microsoft has announced the games coming to Xbox Game Pass during the rest of April…
The Elden Ring movie finally got an official update today, with the full cast announced…
IGN is proud to partner once again with ID@Xbox for another exciting showcase on April…
50 Years Ago Since late February at least 38 dogs and two cats have been…
AMHERST — Walking through Wildwood School as part of a guided farewell tour of the…
Easthampton and Northampton are once again reiterating their support for limiting local municipalities cooperation with…
This website uses cookies.