A critical-severity vulnerability recently patched in the jsPDF library could allow attackers to read sensitive information, including configuration files and credentials, Endor Labs warns.
A popular NPM package with more than 3.5 million downloads per week, jsPDF supports the creation of PDF documents in JavaScript applications.
The flaw, tracked as CVE-2025-68428 (CVSS score of 9.2), is a local file inclusion/path traversal issue in the library’s loadFile method.
Because user-controlled input is passed as a file path argument, jsPDF reads the specified file and includes its content in the PDF output.
“If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs,” jsPDF’s maintainers explain in an advisory.
Public-facing methods that internally call loadFile and could be abused as attack vectors include addImage, html, and addFont.
Only the Node.js builds of jsPDF are impacted by the flaw, which was addressed in jsPDF version 4.0.0 by restricting file access by default.
According to Endor Labs, an attacker could exploit the vulnerability to disclose configuration files, credentials, environment variables, and the contents of any other file that the Node.js process can access.
“The library reads whatever file path is provided and embeds the raw content. Path traversal sequences allow reading files outside the intended directory scope. This becomes externally exploitable when a user-controlled value is passed to the first parameter within the impacted methods,” Endor Labs says.
To resolve the vulnerability, users should update to jsPDF version 4.0.0 and leverage Node’s permission flags to enforce access to specific files only.
“If you upgrade to jsPDF 4.0.0 but configure Node.js with broad read permissions to keep the application running, you remain vulnerable,” Endor Labs explains.
Related: Critical HPE OneView Vulnerability Exploited in Attacks
Related: Vulnerability in Totolink Range Extender Allows Device Takeover
Related: JumpCloud Remote Assist Vulnerability Can Expose Systems to Takeover
Related: Recent GeoServer Vulnerability Exploited in Attacks
