CVE-2025-29907
📋 TL;DR
CVE-2025-29907 is a denial-of-service vulnerability in jsPDF library where attackers can pass malicious data URLs to addImage, html, or addSvgAsImage methods, causing high CPU utilization and service disruption. This affects web applications using vulnerable jsPDF versions to generate PDFs from user-controlled input. The vulnerability requires user interaction to supply malicious image URLs.
💻 Affected Systems
- jsPDF
📦 What is this software?
Jspdf by Parall
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where the application becomes unresponsive due to CPU exhaustion, affecting all users of the service.
Likely Case
Temporary service degradation or crashes for users processing PDFs with malicious inputs, requiring application restart.
If Mitigated
Minimal impact with proper input validation and sanitization preventing malicious URLs from reaching vulnerable methods.
🎯 Exploit Status
Exploitation requires user ability to supply image URLs to affected methods. No authentication bypass needed if application allows user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.1
Vendor Advisory: https://github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj
Restart Required: No
Instructions:
1. Update jsPDF dependency to version 3.0.1 or later. 2. For npm: 'npm update jspdf'. 3. For yarn: 'yarn upgrade jspdf'. 4. Verify update in package.json shows 'jspdf': '^3.0.1'.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict validation and sanitization of user-supplied image URLs before passing to jsPDF methods.
Rate Limiting
allImplement rate limiting on PDF generation endpoints to mitigate DoS impact.
🧯 If You Can't Patch
- Implement strict input validation to reject or sanitize data URLs and external image URLs
- Isolate PDF generation to separate worker processes with resource limits and timeouts
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for jsPDF version. If version is below 3.0.1 and application uses addImage, html, or addSvgAsImage with user input, it's vulnerable.Check Version:
npm list jspdf | grep jspdf OR check package.json for 'jspdf' versionVerify Fix Applied:
Confirm jsPDF version is 3.0.1 or higher in package.json and test PDF generation with various inputs.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes during PDF generation
- Application crashes or timeouts from PDF processing
- Unusually large or malformed data URLs in requests
Network Indicators:
- Increased failed PDF generation requests
- Timeouts on PDF generation endpoints
SIEM Query:
source=application_logs AND ("addImage" OR "addSvgAsImage" OR "html" method) AND (cpu_usage > 90% OR timeout_error)