Critical jsPDF Flaw Exposes Secrets in Generated PDFs
▼ Summary
– The jsPDF library has a critical vulnerability (CVE-2025-68428) allowing local file inclusion and path traversal, which can leak local file data into generated PDFs.
– This flaw, with a severity score of 9.2, affects Node.js builds of the widely used library, which has over 3.5 million weekly downloads.
– The vulnerability occurs when user-controlled input is passed to functions like `loadFile`, `addImage`, `html`, or `addFont`, incorporating file contents into the PDF output.
– The issue was fixed in jsPDF version 4.0.0 by restricting filesystem access and relying on Node.js’s experimental permission mode, requiring Node 22.13.0 or later for full effectiveness.
– Exploitation risk is low if file paths are hardcoded or strictly controlled, but the vulnerability’s broad deployment makes it a candidate for active exploitation if configurations are overly permissive.
A widely used JavaScript library for creating PDFs contains a serious security flaw that could allow attackers to steal sensitive data from a server’s local files. The vulnerability, identified as CVE-2025-68428, affects the jsPDF library and carries a high severity score of 9.2. This popular package sees over 3.5 million weekly downloads from the npm registry, making the potential impact significant for countless web applications.
The core issue is a local file inclusion and path traversal weakness present in jsPDF versions prior to 4.0.0. In Node.js environments, the library’s `loadFile` function, which reads from the local filesystem, fails to properly sanitize user-controlled input. If an attacker can manipulate the file path parameter, they can force jsPDF to read and embed the contents of any accessible local file directly into the generated PDF output. This mechanism could expose confidential data like configuration files, source code, or system credentials.
Several other file loading methods within the library are also vulnerable, including `addImage`, `html`, and `addFont`, as they ultimately rely on the compromised `loadFile` function. The security bulletin from jsPDF clarifies that only the Node.js builds of the library are affected, specifically the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. For browser-based applications using jsPDF, the risk is not present.
Security researchers note that the practical exploitation risk can be low in scenarios where file paths are strictly hardcoded, derived from trusted configurations, or controlled by rigorous input allowlists. However, in applications where user input influences these paths, the vulnerability becomes a clear and present danger.
The maintainers of jsPDF addressed CVE-2025-68428 in version 4.0.0 by changing the default behavior to restrict filesystem access, instead leveraging Node.js’s experimental permission mode. This fix introduces important considerations. The permission mode itself is only considered stable in newer Node.js versions; experts recommend using Node 22.13.0, 23.5.0, or 24.0.0 and later for reliable protection.
Furthermore, applying the suggested workaround of enabling the `–permission` flag affects the entire Node.js process, not just the jsPDF library. A critical configuration pitfall highlighted by researchers is that using an overly broad `–allow-fs-read` flag can completely negate the security fix, leaving systems exposed. For teams unable to immediately upgrade, the jsPDF team advises implementing rigorous sanitization of all user-provided file paths before they are passed to the library’s functions.
Given the extremely broad deployment of jsPDF across the ecosystem, this vulnerability presents a lucrative target for malicious actors. Organizations using the library in Node.js backends should prioritize upgrading to the patched version or implementing the recommended security controls to prevent potential data breaches.
(Source: Bleeping Computer)
