CVE-2026-24133
Unknown Unknown - Not Provided
Denial of Service via Memory Exhaustion in jsPDF addImage

Publication date: 2026-02-02

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in [email protected].
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24133
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parall jspdf to 4.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the jsPDF library prior to version 4.1.0. It occurs because the addImage method allows user control over its first argument without proper sanitization. If a user passes a harmful BMP file with large width and/or height values in its header, it causes excessive memory allocation, leading to out of memory errors and denial of service. The html method is also affected by this issue. The vulnerability has been fixed in jsPDF version 4.1.0.

Impact Analysis

This vulnerability can lead to denial of service by causing the application using jsPDF to consume excessive memory and potentially crash or become unresponsive. An attacker could exploit this by providing specially crafted BMP files or URLs to the addImage or html methods, resulting in out of memory errors and disruption of service.

Mitigation Strategies

Update jsPDF to version 4.1.0 or later, as this version contains the fix for the vulnerability. Avoid passing unsanitized image data or URLs to the addImage and html methods to prevent denial of service caused by harmful BMP files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart