Plateforme
nodejs
Composant
jspdf
Corrigé dans
4.0.1
4.0.1
4.0.0
CVE-2025-68428 is a critical Path Traversal vulnerability affecting the Node.js builds of the jspdf library. This vulnerability allows attackers to read arbitrary files from the local filesystem where the Node.js process is running by manipulating the first argument of the loadFile method, as well as other methods like addImage, html, and addFont. The vulnerability impacts versions prior to 4.0.0 and a fix has been released.
The impact of this vulnerability is severe. An attacker who can control the first argument passed to the loadFile, addImage, html, or addFont methods can read any file accessible to the Node.js process. This includes sensitive configuration files, source code, and potentially even credentials. The attacker can then embed these file contents verbatim into generated PDFs, potentially exposing confidential information. The affected files are dist/jspdf.node.js and dist/jspdf.node.min.js. This vulnerability is particularly concerning as it allows for local file inclusion, potentially leading to further compromise of the system.
This vulnerability was publicly disclosed on 2026-01-05. While no active exploitation campaigns have been publicly reported, the availability of a proof-of-concept could lead to exploitation. The CVSS score of 9.5 (CRITICAL) indicates a high probability of exploitation if the vulnerability is exposed. It's recommended to prioritize remediation.
Applications using the Node.js builds of jspdf (jspdf.node.js and jspdf.node.min.js) prior to version 4.0.0 are at risk. This includes web applications generating PDFs on the server-side, particularly those where user-supplied data is directly incorporated into the PDF generation process without proper sanitization.
• nodejs / server:
ps aux | grep node | grep jspdf• nodejs / server:
find / -name "jspdf.node.js" -o -name "jspdf.node.min.js"• nodejs / server:
journalctl -u node -f | grep -i "loadFile"disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
The primary mitigation is to upgrade to jspdf version 4.0.0 or later, which addresses this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the paths passed to loadFile, addImage, html, and addFont to prevent path traversal attacks. Web application firewalls (WAFs) configured to detect and block path traversal attempts can also provide an additional layer of defense. Monitor Node.js application logs for suspicious file access patterns, particularly attempts to access files outside of expected directories.
Mettez à jour la bibliothèque jsPDF à la version 4.0.0 ou supérieure. Cette version restreint l'accès au système de fichiers par défaut. Si vous ne pouvez pas mettre à jour, envisagez d'utiliser l'option `--permission` dans Node.js (versions récentes) ou de valider les chemins fournis par l'utilisateur avant de les transmettre à jsPDF.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-68428 is a critical vulnerability allowing attackers to read arbitrary files from the local filesystem via the loadFile, addImage, html, and addFont methods in jspdf Node.js versions before 4.0.0.
You are affected if your application uses jspdf Node.js versions prior to 4.0.0 and allows user-controlled input to the loadFile, addImage, html, or addFont methods.
Upgrade to jspdf version 4.0.0 or later. If upgrading is not possible, implement strict input validation on paths passed to the vulnerable methods.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and the availability of a proof-of-concept suggest a potential for exploitation.
Refer to the jspdf project's repository or website for the official advisory and release notes regarding this vulnerability.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.