CVE-2025-68428
📋 TL;DR
CVE-2025-68428 is a path traversal vulnerability in jsPDF's Node.js builds that allows attackers to read arbitrary local files when user-controlled input is passed to certain methods. This affects applications using jsPDF's Node.js builds (dist/jspdf.node.js or dist/jspdf.node.min.js) where user input reaches vulnerable methods like loadFile, addImage, html, or addFont. The vulnerability only impacts Node.js environments, not browser builds.
💻 Affected Systems
- jsPDF
📦 What is this software?
Jspdf by Parall
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Node.js server's file system, allowing exfiltration of sensitive files including configuration files, credentials, source code, and database files.
Likely Case
Unauthorized reading of application files, configuration files, or other sensitive data accessible to the Node.js process.
If Mitigated
Limited impact with proper input validation and file system permissions restricting the Node.js process to necessary directories only.
🎯 Exploit Status
Exploitation requires user input reaching vulnerable methods. The vulnerability is straightforward to exploit once an attacker can control input to these methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0
Vendor Advisory: https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2
Restart Required: Yes
Instructions:
1. Update jsPDF to version 4.0.0 or later using npm: npm update jspdf@4.0.0
2. Restart your Node.js application
3. Verify the update by checking package.json or running npm list jspdf
🔧 Temporary Workarounds
Node.js Permission Flag
allUse Node.js experimental permission system to restrict file system access
node --permission --allow-fs-read=/path/to/allowed/directory your-app.js
Input Sanitization
allSanitize all user-provided paths before passing to jsPDF methods
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-provided paths before they reach jsPDF methods
- Run Node.js with minimal file system permissions using the --permission flag (Node.js v20.0.0+)
🔍 How to Verify
Check if Vulnerable:
Check if your application uses jsPDF version <4.0.0 and calls loadFile, addImage, html, or addFont methods with user inputCheck Version:
npm list jspdf | grep jspdfVerify Fix Applied:
Verify jsPDF version is 4.0.0 or higher and test that file system access is restricted when using vulnerable methods📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs
- Errors from jsPDF when accessing restricted paths
- Large PDF generation from unexpected file sources
Network Indicators:
- Unexpected PDF downloads containing file contents
- PDFs with embedded file data in responses
SIEM Query:
source="application.log" AND ("loadFile" OR "addImage" OR "html" OR "addFont") AND (".." OR "/etc/" OR "/root/" OR "/home/")