Ddos 
A critical vulnerability has been discovered in jsPDF, one of the most popular JavaScript libraries for generating PDF documents. The flaw, assigned a scorching CVSS score of 9.2, allows attackers to exploit Node.js environments to read arbitrary files from the server’s local file system—effectively turning a document generator into a data exfiltration tool.
The vulnerability, tracked as CVE-2025-68428, is a Local File Inclusion (LFI) and Path Traversal bug that specifically targets the Node.js builds of the library.
The issue lies in how the library handles file paths in specific methods. Functions like loadFile, addImage, html, and addFont accept file paths as arguments. In the affected Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js), the library fails to properly sanitize these inputs.
This oversight allows a malicious user to supply a path to a sensitive local file instead of an image or font. The report provides a stark example: an attacker could use the addImage function to request ./secret.txt. Instead of an error, the library obediently reads the secret file and embeds its contents “verbatim in the generated PDFs”.
“If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in,” the advisory explains.
The maintainers have addressed the issue in jsPDF version 4.0.0. This major update introduces a default restriction on file system access, closing the door on unauthorized reads. The update is described as “semver-major” but does not introduce other breaking changes, encouraging users to upgrade quickly.
For developers unable to update immediately, the advisory suggests two mitigation strategies:
- Sanitize Inputs: For older Node.js versions, developers must manually “sanitize user-provided paths before passing them to jsPDF”.
- Use Permission Flags: For those on modern Node.js versions (v20.0.0 and later), the report recommends using the –permission flag to restrict the process’s file system access at the runtime level.
Donate