The jsPDF library, widely used for generating PDFs in JavaScript, has a critical vulnerability (CVE-2025-68428) that exposes sensitive filesystem data through local file inclusion and path traversal. This flaw specifically affects Node.js versions before 4.0.0, posing a risk of data theft for affected systems. #jsPDF #CVE-2025-68428
Keypoints
- The vulnerability impacts jsPDF versions prior to 4.0.0 on Node.js environments.
- Exploitation involves passing unsanitized file paths to functions like โloadFile,โ โaddImage,โ โhtml,โ or โaddFont.โ
- The fix in version 4.0.0 restricts filesystem access by default using Node.js permission modes.
- Effective mitigation includes hardcoding trusted paths and using strict allowlists for input validation.
- Endor Labs warns that the experimental Node.js permission mode and permissive flags can undermine the security fix.