CVE-2025-57810
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parall | jspdf | to 3.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57810 is a vulnerability in the jsPDF library's addImage method where user-controlled input, specifically PNG image data or URLs, can be crafted maliciously to cause the library to enter an infinite loop or very long processing. This happens because the PNG parsing logic does not properly validate or handle corrupt PNG files, leading to excessive CPU utilization and denial of service (DoS). The issue was fixed in jsPDF version 3.0.2 by replacing the PNG parser with a more robust third-party library (fast-png) and improving input validation to prevent such infinite loops. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition by consuming excessive CPU resources when processing maliciously crafted PNG images passed to the addImage method. This can make the system or application using jsPDF unresponsive or unavailable. Since the attack requires no privileges or user interaction and can be triggered remotely by supplying harmful image data or URLs, it poses a significant risk to availability. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU utilization or denial of service symptoms when the jsPDF library processes images, especially when the addImage method is called with user-supplied PNG data or URLs. Since the issue involves infinite loops triggered by malformed PNG images, detection involves observing long-running or stuck processes related to jsPDF usage. There is no specific command provided in the resources, but general system monitoring commands such as 'top' or 'htop' on Linux/macOS or Task Manager on Windows can help identify high CPU usage. Additionally, reviewing application logs for errors or delays during PDF generation involving images may help. To specifically test, one could attempt to pass crafted PNG data to the addImage method in a controlled environment to observe CPU behavior. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the jsPDF library to version 3.0.2 or later, where the vulnerability is fixed by replacing the PNG parser with the more robust fast-png dependency and improving input validation to prevent infinite loops. As a workaround before upgrading, sanitize or validate any image data or URLs passed to the addImage method to ensure they are not malformed or malicious PNG files. Avoid passing unsanitized user-controlled input to addImage or related methods. These steps will prevent the denial of service caused by high CPU utilization from corrupt PNG processing. [1, 3]