13/69 Friday, January 9, 2026
A critical security vulnerability, tracked as CVE-2025-68428, has been discovered in jsPDF, a popular JavaScript library with more than 3.5 million downloads per week. The vulnerability carries a CVSS score of 9.2 and stems from Local File Inclusion (LFI) and Path Traversal flaws in the file-loading mechanism when jsPDF is used in a Node.js environment. This weakness allows attackers to abuse functions such as addImage, html, or addFont to read sensitive files from the local filesystem and embed their contents directly into generated PDF files, leading to immediate data leakage.
According to a report by Endor Labs, the risk primarily affects applications running jsPDF on Node.js, particularly those using dist/jspdf.node.js, where user-controlled input is used to define file paths without sufficient sanitization. Applications that rely on hardcoded file paths or enforce strict allowlists are significantly less exposed or unaffected. The jsPDF maintainers have addressed the issue in version 4.0.0 by adopting the Node.js Permission Model to restrict filesystem access.
However, developers and system administrators are warned that upgrading alone is not sufficient. Misconfiguring the Permission Model-such as using overly permissive flags like --allow-fs-read=/* or granting read access to the entire root directory-will immediately nullify the protection. In addition, the Permission Model is still considered experimental in Node.js 20. Security experts therefore recommend running jsPDF on Node.js versions 22.13.0, 23.5.0, or 24.0.0 and later to ensure full functionality and maximum security.
