—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Local File Inclusion / Path Traversal Vulnerability in jsPDF 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

jsPDF versions ≤ 3.0.4

Overview

A vulnerability has been reported in jsPDF, which could be exploited by a remote attacker to read arbitrary files and embed their contents into generated PDF documents on the targeted system.

Target Audience:

Organizations and individuals using jsPDF in server-side / Node.js environments

Impact Assessment:

Potential exposure of sensitive data from the underlying host file system due to unauthorized file access and inclusion of file contents in generated PDF documents.

Risk Assessment:

Potential for information disclosure through local file inclusion/path traversal

Description

jsPDF is a widely used JavaScript library for generating PDF documents in web and server-side environments.

This vulnerability exists in the Node.js builds of jsPDF due to insufficient validation and sanitization of user-supplied file paths in file-loading and content-processing functionality. A remote attacker can exploit this vulnerability to perform path traversal (local file inclusion), allowing unauthorized reading of arbitrary files from the underlying file system.

Successful exploitation of this vulnerability could allow a remote attacker to read arbitrary files and embed their contents into generated PDF documents on the targeted system.

Solution

Apply the security updates released by the vendor and upgrade jsPDF to version 4.0.0 or later.

Vendor Information

 

https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2

References

 

https://www.securityweek.com/critical-vulnerability-patched-in-jspdf/

https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2

CVE Name

CVE-2025-68428

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmllCQoACgkQ3jCgcSdc

ys9nZw/+OriKedJveDLwFDKpl1SIUTAoTjLcPzB6077lN62cTlYGG8M866qw9bxl

QcpN8hDy54SGeUikouQdWknANo7R0tJFJrjGB+ModB6rpC1WK9GHNk27MxMTORoY

XNIpqhxHxfp4xnIc2Mf+32arhf+7453B/OiBc6D75WnGqyXFHItb6plC272rdHb8

fTAq2kfw5KbwAOQy59lpyEhwK9DpSxgkJfONKwzM03KH2ElQCStglY7p+8hD8R6J

ALYVIMW/tGf1Un4XqB8uZjwzoYvfMhOT7ibT7Q3D7ZRWIz/XdDv+0Z1JzHdzzovQ

1sEjQCKpyKJjWqnna/P+t2Pg/BNhcTdEgdxG/9XvrY6a6MrRQeH+WE1bVtmQHiSg

RNAJ2fTvcyHwlE5HUQ4cKS4wYhVGVZxNDim4UCKzxceExq4hqCWbAGTEkwlWFpuA

aM/xjQy/kNnQWRtnMeSIjusUNbSVfrcJvNaVSaXFRgHkpUkYOxkBViGhov7TyztD

Y25Id/uPWU6JrmMXHylSA01LFzTlsbvbd6G571Wy55np1Ga3yaKulB9iETNcaH8M

+YdYKRRjkyzqZsBlowkEbPHy/iVyPwj2/yaSbvFqiW2SPRiC7uvXtMAPhdc6jzK5

XJv3bdYdhM3qe5/IsKHxssa29ernXO53BGsiNibLt40sY41Eqig=

=/spu

—–END PGP SIGNATURE—–