CVE-2026-24133 – This vulnerability in jsPDF allows attackers to... (How to Fix)

Q: What is the severity of CVE-2026-24133?

CVE-2026-24133 has a CVSS score of N/A (Unknown). This vulnerability in jsPDF allows attackers to cause denial of service by providing malicious BMP files with large width/height values in their headers. When unsanitized image data or URLs are passed to the addImage or html methods, it triggers excessive memory allocation leading to out-of-memory errors. Any application using vulnerable versions of jsPDF that accepts user-controlled image input is affected.

📋 TL;DR

This vulnerability in jsPDF allows attackers to cause denial of service by providing malicious BMP files with large width/height values in their headers. When unsanitized image data or URLs are passed to the addImage or html methods, it triggers excessive memory allocation leading to out-of-memory errors. Any application using vulnerable versions of jsPDF that accepts user-controlled image input is affected.

💻 Affected Systems

Products:

jsPDF

Versions: All versions prior to 4.1.0

Operating Systems: All platforms running JavaScript/Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the addImage or html methods with user-controlled input.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing application crashes and unavailability for all users, potentially requiring server restarts to recover.

🟠

Likely Case

Application instability and intermittent crashes when users upload or process malicious BMP files, leading to degraded service.

🟢

If Mitigated

No impact if input validation prevents malicious BMP files from reaching jsPDF methods.

🌐 Internet-Facing: HIGH - Web applications accepting user uploads are directly exposed to this attack.

🏢 Internal Only: MEDIUM - Internal applications could still be vulnerable if they process user-provided images.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Creating malicious BMP files with large header values is trivial, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0

Vendor Advisory: https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c

Restart Required: No

Instructions:

1. Update jsPDF dependency to version 4.1.0 or later. 2. For npm: 'npm update jspdf'. 3. For yarn: 'yarn upgrade jspdf'. 4. Verify the update in package.json shows version >=4.1.0.

🔧 Temporary Workarounds

Input validation for image dimensions

all

Validate BMP file headers before passing to jsPDF to ensure width and height values are within reasonable limits.

Sanitize user input

all

Implement strict input validation and sanitization for all user-provided image data and URLs before they reach jsPDF methods.

🧯 If You Can't Patch

Implement server-side validation of BMP file headers to reject files with excessive width/height values
Use Content Security Policies and rate limiting to reduce attack surface

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for jsPDF version. If version is less than 4.1.0 and the application uses addImage or html methods with user input, it's vulnerable.

Check Version:

npm list jspdf or check package.json for 'jspdf' version

Verify Fix Applied:

Confirm jsPDF version is 4.1.0 or higher in package.json and test that malicious BMP files no longer cause memory exhaustion.

📡 Detection & Monitoring

Log Indicators:

Out of memory errors
Application crashes when processing images
High memory usage spikes during image processing

Network Indicators:

Unusually large BMP file uploads
Repeated image upload attempts

SIEM Query:

source=application_logs AND ("out of memory" OR "OOM" OR "memory allocation failed") AND process="node"

📊 Metadata

CVE ID: CVE-2026-24133

CVSS v3 Score: N/A (Unknown)

CWE: CWE-770

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy