Critical jsPDF Vulnerability Lets Attackers Steal Server Files via Generated PDFs

A critical security vulnerability has been discovered in jsPDF, one of the most popular JavaScript libraries for generating PDF documents. The flaw, tracked as CVE-2025-68428, allows attackers to read arbitrary files from server filesystems and exfiltrate their contents by embedding them directly into generated PDF documents.

Vulnerability Overview
CVE ID	CVE-2025-68428
CVSS Score	9.2 (Critical)
Weekly Downloads	3.5 million+
Affected Builds	Node.js only
Fixed Version	4.0.0

With over 3.5 million weekly downloads on npm, jsPDF is widely deployed across enterprise applications, SaaS platforms, and developer projects worldwide. Organizations using the Node.js build of this library should update immediately.

How the Attack Works

The vulnerability stems from insufficient input validation in the loadFile method within jsPDF's Node.js builds. When user-controlled input is passed as a file path argument, the library reads the specified file from disk and incorporates its contents verbatim into the generated PDF output.

Security researchers at Endor Labs, who published a detailed technical analysis, explain that multiple methods are affected beyond loadFile:

Affected Methods	Internal Behavior
addImage	Calls vulnerable loadFile
html	Calls vulnerable loadFile
addFont	Calls vulnerable loadFile

All of these methods internally call the vulnerable loadFile function, meaning any unsanitized path passed to them becomes an attack vector.

Proof of Concept: A simple exploitation demonstrates the severity:

import { jsPDF } from "./dist/jspdf.node.js";
const doc = new jsPDF();
doc.addImage("../../../etc/passwd", "JPEG", 0, 0, 10, 10);
doc.save("output.pdf");
// The generated PDF now contains the server's /etc/passwd file

The file type parameter (e.g., "JPEG") does not prevent non-image files from being read. The library reads whatever file path is provided and embeds the raw content. Path traversal sequences like ../ allow attackers to navigate outside the intended directory.

What's at Risk

Successful exploitation could expose any file readable by the Node.js process:

Exposed Data Type	Impact
Configuration files	Database credentials exposed
Environment variables	API keys and secrets leaked
Application source code	Intellectual property theft
Private keys/certificates	Complete system compromise
System files	/etc/passwd, /etc/shadow access

Stealth Exfiltration: The attack is particularly dangerous because the stolen data is exfiltrated through normal application output - the generated PDF itself. This makes detection challenging since no anomalous network connections are required.

Who Is Affected

Only the Node.js builds of jsPDF are vulnerable:

• dist/jspdf.node.js
• dist/jspdf.node.min.js

Browser-based implementations are not affected because browsers enforce strict sandbox policies that prevent JavaScript from directly accessing the local filesystem.

However, the vulnerability becomes exploitable in any scenario where:

• User-controlled input reaches the affected methods
• File paths are not explicitly sanitized
• No allowlist restricts which files can be loaded

Patch and Mitigation

The vulnerability has been fixed in jsPDF version 4.0.0, released on January 3, 2026. This version restricts filesystem access by default and relies on Node.js permission mode for additional protection.

Immediate Actions Required

Priority	Action
Critical	Update to jsPDF 4.0.0 immediately
High	Audit all user input reaching affected methods
Medium	Implement input validation as defense-in-depth
Recommended	Enable Node.js permission mode in production

For environments that cannot immediately upgrade, the following mitigations are recommended:

For Node.js v22.13.0+ / v23.5.0+ / v24.0.0+:

node --permission --allow-fs-read=/app/allowed-directory app.js

Warning: Endor Labs cautions that the --permission flag affects the entire Node.js process, not just jsPDF. Additionally, overly broad filesystem permissions in the --allow-fs-read configuration can negate the fix entirely.

For older Node.js versions: Rigorously sanitize all user-provided file paths before passing them to jsPDF functions. Implement strict allowlists for permitted files.

Security Recommendations

Organizations using jsPDF in Node.js environments should take immediate action:

Step	Description	Priority
1	Audit immediately - determine if affected versions are in use	Critical
2	Update to version 4.0.0 - patch as soon as possible	Critical
3	Review code - check for user-controlled input reaching affected methods	High
4	Implement input validation - defense-in-depth regardless of version	High
5	Enable permission mode - for Node.js production deployments	Medium

Credit

The vulnerability was discovered and responsibly disclosed by security researcher Kwangwoon Kim (kilkat). The jsPDF maintainers at Parallax delivered a prompt fix following the disclosure.

Bottom Line: Given jsPDF's widespread adoption and the CVSS 9.2 critical severity rating, CVE-2025-68428 is a strong candidate for active exploitation. Security teams should prioritize this patch immediately.