Critical Path Traversal Flaw in jsPDF Library

First reported

07.01.2026 23:46

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical path traversal vulnerability (CVE-2025-68428) in the jsPDF library allows attackers to steal sensitive data from the local filesystem by including it in generated PDFs. The flaw affects versions before 4.0.0 and is due to unsanitized paths passed to the 'loadFile' function. The issue is mitigated in version 4.0.0 by restricting filesystem access by default.

Timeline

07.01.2026 23:46 1 articles · 23h ago

Critical Path Traversal Flaw in jsPDF Library Disclosed
A critical path traversal vulnerability (CVE-2025-68428) in the jsPDF library allows attackers to steal sensitive data from the local filesystem by including it in generated PDFs. The flaw affects versions before 4.0.0 and is due to unsanitized paths passed to the 'loadFile' function. The issue is mitigated in version 4.0.0 by restricting filesystem access by default.
Show sources

Critical jsPDF flaw lets hackers steal secrets via generated PDFs — www.bleepingcomputer.com — 07.01.2026 23:46
Open in new tab

Information Snippets

The vulnerability is tracked as CVE-2025-68428 with a severity score of 9.2.
First reported: 07.01.2026 23:46

1 source, 1 article
Show sources
- Critical jsPDF flaw lets hackers steal secrets via generated PDFs — www.bleepingcomputer.com — 07.01.2026 23:46
The flaw affects the Node.js builds of jsPDF, specifically the 'loadFile' function.
First reported: 07.01.2026 23:46

1 source, 1 article
Show sources
- Critical jsPDF flaw lets hackers steal secrets via generated PDFs — www.bleepingcomputer.com — 07.01.2026 23:46
Other file loading methods like 'addImage', 'html', and 'addFont' are also affected.
First reported: 07.01.2026 23:46

1 source, 1 article
Show sources
- Critical jsPDF flaw lets hackers steal secrets via generated PDFs — www.bleepingcomputer.com — 07.01.2026 23:46
The issue is mitigated in version 4.0.0 by restricting filesystem access by default.
First reported: 07.01.2026 23:46

1 source, 1 article
Show sources
- Critical jsPDF flaw lets hackers steal secrets via generated PDFs — www.bleepingcomputer.com — 07.01.2026 23:46
The jsPDF library has over 3.5 million weekly downloads on the npm registry.
First reported: 07.01.2026 23:46

1 source, 1 article
Show sources
- Critical jsPDF flaw lets hackers steal secrets via generated PDFs — www.bleepingcomputer.com — 07.01.2026 23:46

Summary

Timeline

Critical Path Traversal Flaw in jsPDF Library Disclosed

Information Snippets