PDF Data Exfiltration: Critical 9.2 jsPDF Flaw Leaks Server Secrets

A critical vulnerability has been unearthed within the ubiquitous JavaScript library jsPDF, a tool primarily utilized for the programmatic generation of PDF documents. This flaw empowers an adversary to manipulate file paths, thereby facilitating the surreptitious embedding of local file system content directly into the generated documents.

Designated as CVE-2025-68428 with a formidable CVSS score of 9.2, the issue resides in the realms of Local File Inclusion (LFI) and Path Traversal. When an insufficiently sanitized path is processed, the library’s file-loading mechanism can read arbitrary files from the server and append their contents to the resulting PDF. Given that jsPDF is an industry staple—averaging over 3.5 million weekly downloads on npm—the potential theater for exploitation is extensive.

The vulnerability specifically plagues Node.js iterations of jsPDF prior to version 4.0.0. Within these server-side builds, the loadFile function directly interfaces with the local file system. If file paths are constructed based on unfiltered user input, an interloper could specify sensitive system files or configuration dossiers, which jsPDF would then dutifully incorporate into the PDF without further validation.

This defect is not isolated to a single function; the same underlying mechanisms govern addImage, html, and addFont, rendering them equally susceptible when handling paths insecurely. Developers have clarified that the flaw is confined to the Node.js builds—specifically dist/jspdf.node.js and its minified counterpart—whereas browser-based versions remain insulated due to the lack of direct file system access.

According to assessments by Endor Labs, the exploitability of this flaw is contingent upon the library’s implementation within a given project. The risk is negligible if paths are hardcoded or verified against strict allow-lists; however, in scenarios where paths are derived from raw user data, the threat becomes palpable.

The vulnerability was effectively neutralized in jsPDF version 4.0.0. The update imposes default restrictions on file system access and leverages the Node.js permission model. Nevertheless, a nuance persists: since the permission-mode is considered experimental in Node.js 20, researchers advocate for the adoption of more recent environments, such as 22.13.0, 23.5.0, or 24.0.0 and above.

Additional complexities remain. While the jsPDF maintainers suggest utilizing the --permission flag as a temporary palliative, this applies to the entire Node.js process rather than the library alone. Furthermore, overly permissive settings via --allow-fs-read effectively nullify these protections. For projects tethered to legacy Node.js versions, the recommendation is to manually sanitize and validate all user-supplied paths prior to their transmission to the library.

Considering the widespread adoption of jsPDF across diverse web applications and services, researchers perceive CVE-2025-68428 as a prime target for malicious actors and urge immediate transition to the patched version.