CVE-2026-24133
Denial of Service via Memory Exhaustion in jsPDF addImage
Publication date: 2026-02-02
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parall | jspdf | to 4.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the jsPDF library prior to version 4.1.0. It occurs because the addImage method allows user control over its first argument without proper sanitization. If a user passes a harmful BMP file with large width and/or height values in its header, it causes excessive memory allocation, leading to out of memory errors and denial of service. The html method is also affected by this issue. The vulnerability has been fixed in jsPDF version 4.1.0.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service by causing the application using jsPDF to consume excessive memory and potentially crash or become unresponsive. An attacker could exploit this by providing specially crafted BMP files or URLs to the addImage or html methods, resulting in out of memory errors and disruption of service.
What immediate steps should I take to mitigate this vulnerability?
Update jsPDF to version 4.1.0 or later, as this version contains the fix for the vulnerability. Avoid passing unsanitized image data or URLs to the addImage and html methods to prevent denial of service caused by harmful BMP files.