CVE-2025-68428
Unknown Unknown - Not Provided
Local File Inclusion in jsPDF Node.js Build Allows Arbitrary File Access

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in [email protected]. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68428
EUVD
EUVD-2026-0847
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
parallax/jspdf 4.0.0 *
parallax/jspdf * to 4.0.0 (exc)
parallax/jspdf 20.0.0 *
parallax/jspdf 22.13.0 *
parallax/jspdf 23.5.0 *
parallax/jspdf 24.0.0 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in jsPDF prior to version 4.0.0 allows an attacker to perform local file inclusion/path traversal by controlling the first argument of the loadFile method in the node.js build. If unsanitized paths are passed, an attacker can retrieve contents of arbitrary files from the local file system where the node process runs. These file contents are then included verbatim in the generated PDFs. Other affected methods include addImage, html, and addFont. The issue is fixed in jsPDF version 4.0.0, which restricts file system access by default.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive local files by including their contents in generated PDFs. An attacker exploiting this could access confidential information stored on the server running the node.js process, potentially leading to data breaches or exposure of sensitive data.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade jsPDF to version 4.0.0 or later, as this version restricts file system access by default. Additionally, if you are using recent Node.js versions, use the '--permission' flag in production to limit file system access. For older Node.js versions, ensure that all user-provided paths passed to jsPDF methods like loadFile, addImage, html, and addFont are properly sanitized to prevent local file inclusion or path traversal.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart