Critical jsPDF flaw lets hackers steal secrets via generated PDFs

Published:

7 januari 2026 om 21:46:29

Alert date:

7 januari 2026 om 22:01:55

Source:

bleepingcomputer.com

Web Technologies, Supply Chain & Dependencies, Data Breach & Exfiltration

The jsPDF library for generating PDF documents in JavaScript applications contains a critical vulnerability that allows attackers to steal sensitive data from the local filesystem. The flaw enables malicious actors to include local files in generated PDF documents, potentially exposing confidential information. This affects web applications that use the jsPDF library for client-side PDF generation. The vulnerability poses a significant risk to applications handling sensitive data and requires immediate patching.

Technical details

The jsPDF library is vulnerable to a critical local file inclusion and path traversal flaw that allows attackers to steal sensitive data from the local filesystem. The vulnerability exists in the loadFile function in Node.js builds of jsPDF versions before 4.0, where unsanitized user-controlled input is passed as file path causing jsPDF to incorporate file content into generated PDF output. Other affected methods include addImage, html, and addFont functions. The flaw only affects Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js files) and has a CVSS score of 9.2.

Mitigation steps:

Update jsPDF to version 4.0.0 or later
Use Node.js versions 22.13.0, 23.5.0, or 24.0.0 and later (recommended over Node 20 due to experimental permission mode)
For older Node versions: sanitize user-provided paths before passing them to jsPDF
Use hardcoded file paths, trusted configurations, or strict allowlists for inputs
Enable --permission flag carefully as it affects the entire Node.js process
Avoid overly broad filesystem permissions in --allow-fs-read configuration

Affected products:

jsPDF library versions before 4.0.0 (Node.js builds: dist/jspdf.node.js and dist/jspdf.node.min.js)