Critical path traversal flaw reported in jsPDF library
Take action: If you are using jsPDF, review this advisory and your use case. Ideally, update to version 4.0.0 and use the Node.js --permission flag to limit which files the process can read. Also, as a normal best practice, always sanitize and validate user input before passing it to libraries.
Learn More
jsPDF, a widely used JavaScript library for generating PDF documents, patched a critical path traversal vulnerability that allows attackers to steal files from a server.
The flaw is tracked as CVE-2025-68428 (CVSS score 10.0) and occurs when the library processes unsanitized file paths provided by users. Attackers can exploit this to read sensitive data from the local file system where the Node.js process is running. The library then embeds the stolen file content directly into the generated PDF document.
The vulnerability impacts the jsPDF versions 3.0.4 and earlier Node.js builds of the library, including the dist/jspdf.node.js and dist/jspdf.node.min.js files. If an application allows users to pass paths to certain methods, an attacker can use "../" sequences to navigate outside of intended directories.
Multiple methods within the library are susceptible to this attack. loadFile is the primary vector, ut bother affected methods include addImage, html, and addFont.
Exposed data may include:
- Local system files (e.g., /etc/passwd)
- Application source code
- Environment variables and configuration files
- Internal credentials and API keys
Developers must upgrade to jsPDF version 4.0.0 ASAP to resolve this issue. For those unable to upgrade, Node.js provides a --permission flag in versions 22.13.0 and later to limit file system access. As a matter best practice developers should always sanitize user-provided paths before passing them to any library methods.
