AI description
CVE-2025-68428 is a local file inclusion and path traversal vulnerability affecting the Node.js builds of the jsPDF library, specifically versions prior to 4.0.0. The flaw arises when user-controlled input is passed as the first argument to methods such as `loadFile`, `addImage`, `html`, and `addFont` without proper sanitization. This allows an attacker to supply crafted paths, including traversal sequences, to read arbitrary files from the local file system where the Node.js process is running. Upon successful exploitation, the contents of these arbitrary files are included verbatim within the generated PDF documents. This vulnerability is present only in the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` builds of the library. The issue has been addressed in jsPDF version 4.0.0, which restricts file system access by default.
- Description
- jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- jspdf
CVSS 4.0
- Type
- Secondary
- Base score
- 9.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- Hype score
- Not currently trending
#VulnerabilityReport #CVE202568428 CVE-2025-68428: Critical Flaw in jsPDF Library Allows Server-Side File Theft https://t.co/H4vw3xA1jA
@Komodosec
7 Feb 2026
57 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68428 https://t.co/Bc4Yc62uvQ
@nasibaliyusibov
21 Jan 2026
31 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🔍 Need to scan your assets for the critical jsPDF CVE-2025-68428? Check out this bulk detection tool! #cybersecurity #infosec It's for detection ONLY — no exploitation. Audit & patch! https://t.co/vTDYXyNKNC
@TheExploitLab
16 Jan 2026
97 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
jsPDF is a library to generate PDFs in JavaScript. Before version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. CVE-2025-68428 PoC https://t.co/VDMthqfC6z
@S0ufi4n3
12 Jan 2026
1842 Impressions
2 Retweets
27 Likes
17 Bookmarks
0 Replies
0 Quotes
I have just made a CVE-2025-68428 PoC. Critical Path Traversal in jsPDF https://t.co/JWRa8aS6GI https://t.co/trZ88j7jqA
@_12nio
9 Jan 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚡️ Cybersecurity Developments in the Last 12 Hours ⚡️ 🚨 A critical jsPDF flaw (CVE-2025-68428) in Node.js builds allows local file inclusion and path traversal, risking sensitive data exposure unless upgraded to v4.0.0. 👾 Researchers demonstrate IBM's AI coding ag
@greytech_ltd
8 Jan 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL SECURITY ALERT: jsPDF 🚨 Devs using jsPDF in Node.js: your server files are at risk. A new flaw (CVE-2025-68428) allows hackers to steal secrets via generated PDFs. Severity: Critical (CVSS 9.2) 📉 Fix & Details in thread 👇 #CyberSecurity #Nod
@kirpa_pandey
8 Jan 2026
1 Impression
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
#jsPDF: Critical Path Traversal Vulnerability (CVE-2025-68428) in jsPDF - a widely-adopted #npm package for generating PDF documents in JavaScript applications allows attackers to read & exfiltrate arbitrary files from the local filesystem: 👇 https://t.co/YOi4OLUEYr
@securestep9
7 Jan 2026
555 Impressions
0 Retweets
5 Likes
6 Bookmarks
1 Reply
0 Quotes
An easy expalination of jsPDF CVE-2025-68428. Stay safe and upgrade to version 4.0.0 https://t.co/bdKZe4Y2Tm
@prismor_dev
7 Jan 2026
42 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68428: The jsPDF Flaw Turning Your Server’s Private Files into Public PDF Attachments Read the full report on - https://t.co/h4YPYV4VBR https://t.co/2LVDgkmuq1
@cyberbivash
7 Jan 2026
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Kritická zranitelnost v jsPDF, CVE-2025-68428 https://t.co/aXz6uIQ56h
@abclinuxu
6 Jan 2026
94 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
1 Quote
Critical AdonisJS Bodyparser flaw (CVE-2026-21440, CVSS 9.2) enables arbitrary file write via unsanitized filenames in MultipartFile.move(). Update "@adonisjs/bodyparser." jsPDF has a similar flaw (CVE-2025-68428). https://t.co/ZKSgtjd1Ht
@Jfreeg_
6 Jan 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68428 reveals a 9.2 critical flaw in jsPDF's Node.js build, allowing arbitrary file reads from servers. Upgrade to version 4.0.0 now! #jsPDF #NodeJS #CyberSecurity #LFI #DataLeak #InfoSec #PathTraversal #PatchAlert #JavaScript #WebDev https://t.co/DtNmKcNUWW
@the_yellow_fall
6 Jan 2026
266 Impressions
5 Retweets
5 Likes
2 Bookmarks
1 Reply
0 Quotes
CVE-2025-68428 jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local… https://t.co/b50USqG5zk
@CVEnew
6 Jan 2026
150 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "1EED4B66-0CA7-43D9-A73B-505062F90B4D",
"versionEndExcluding": "4.0.0"
}
],
"operator": "OR"
}
]
}
]