PatchSiren cyber security CVE debrief
CVE-2025-68428 parallax CVE debrief
CVE-2025-68428 is a critical vulnerability in jsPDF, a JavaScript library used for generating PDFs. Prior to version 4.0.0, the library's node.js build allows user control of the first argument of the loadFile method, enabling local file inclusion and path traversal attacks. This could allow an attacker to retrieve file contents of arbitrary files in the local file system where the node process is running. The vulnerability affects the node.js builds of the library, specifically the dist/jspdf.node.js and dist/jspdf.node.min.js files. The vulnerability has been fixed in jsPDF version 4.0.0, which restricts file system access by default. This update does not introduce other breaking changes.
- Vendor
- parallax
- Product
- jsPDF
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-05
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-05
- Advisory updated
- 2026-06-30
Who should care
Developers using jsPDF in node.js environments should be concerned about this vulnerability. Given the critical severity (CVSS score of 9.2), immediate attention is required to prevent potential local file inclusion and path traversal attacks. Users of jsPDF in browser environments are not affected. Red Hat users should also review the provided errata for potential impacts.
Technical summary
The vulnerability in jsPDF arises from the lack of sanitization in the loadFile method of the node.js build. This method, along with addImage, html, and addFont, can be exploited for local file inclusion and path traversal. An attacker could leverage this to access sensitive files on the system where the node process runs. The fix in version 4.0.0 restricts file system access by default, mitigating the issue. For older node versions lacking the --permission flag, path sanitization is recommended as a workaround.
Defensive priority
High. Given the critical CVSS score and the potential for local file inclusion and path traversal, defenders should prioritize updating jsPDF to version 4.0.0 or applying recommended workarounds immediately.
Recommended defensive actions
- Update jsPDF to version 4.0.0 or later to restrict file system access by default.
- For environments using older node versions, implement path sanitization for user-provided paths before passing them to jsPDF.
- Review and apply Red Hat errata if applicable.
- Use the --permission flag in production for recent node versions.
- Monitor for suspicious activity related to file access patterns.
Evidence notes
The CVE-2025-68428 vulnerability details are based on information from the NVD and jsPDF's official GitHub repository. The vulnerability allows for local file inclusion and path traversal in node.js builds of jsPDF prior to version 4.0.0. Fixes and workarounds are provided, including updating to version 4.0.0 and path sanitization for older node versions.
Official resources
-
CVE-2025-68428 CVE record
CVE.org
-
CVE-2025-68428 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.