PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-68428 parallax CVE debrief

CVE-2025-68428 is a critical vulnerability in jsPDF, a JavaScript library used for generating PDFs. Prior to version 4.0.0, the library's node.js build allows user control of the first argument of the loadFile method, enabling local file inclusion and path traversal attacks. This could allow an attacker to retrieve file contents of arbitrary files in the local file system where the node process is running. The vulnerability affects the node.js builds of the library, specifically the dist/jspdf.node.js and dist/jspdf.node.min.js files. The vulnerability has been fixed in jsPDF version 4.0.0, which restricts file system access by default. This update does not introduce other breaking changes.

Vendor
parallax
Product
jsPDF
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-05
Original CVE updated
2026-06-30
Advisory published
2026-01-05
Advisory updated
2026-06-30

Who should care

Developers using jsPDF in node.js environments should be concerned about this vulnerability. Given the critical severity (CVSS score of 9.2), immediate attention is required to prevent potential local file inclusion and path traversal attacks. Users of jsPDF in browser environments are not affected. Red Hat users should also review the provided errata for potential impacts.

Technical summary

The vulnerability in jsPDF arises from the lack of sanitization in the loadFile method of the node.js build. This method, along with addImage, html, and addFont, can be exploited for local file inclusion and path traversal. An attacker could leverage this to access sensitive files on the system where the node process runs. The fix in version 4.0.0 restricts file system access by default, mitigating the issue. For older node versions lacking the --permission flag, path sanitization is recommended as a workaround.

Defensive priority

High. Given the critical CVSS score and the potential for local file inclusion and path traversal, defenders should prioritize updating jsPDF to version 4.0.0 or applying recommended workarounds immediately.

Recommended defensive actions

  • Update jsPDF to version 4.0.0 or later to restrict file system access by default.
  • For environments using older node versions, implement path sanitization for user-provided paths before passing them to jsPDF.
  • Review and apply Red Hat errata if applicable.
  • Use the --permission flag in production for recent node versions.
  • Monitor for suspicious activity related to file access patterns.

Evidence notes

The CVE-2025-68428 vulnerability details are based on information from the NVD and jsPDF's official GitHub repository. The vulnerability allows for local file inclusion and path traversal in node.js builds of jsPDF prior to version 4.0.0. Fixes and workarounds are provided, including updating to version 4.0.0 and path sanitization for older node versions.

Official resources

This article is AI-assisted and based on the supplied source corpus.