プラットフォーム
nodejs
コンポーネント
jspdf
修正版
4.0.1
4.0.1
4.0.0
CVE-2025-68428 is a critical Path Traversal vulnerability affecting the Node.js builds of the jspdf library. This vulnerability allows attackers to read arbitrary files from the local filesystem where the Node.js process is running by manipulating the first argument of the loadFile method, as well as other methods like addImage, html, and addFont. The vulnerability impacts versions prior to 4.0.0 and a fix has been released.
The impact of this vulnerability is severe. An attacker who can control the first argument passed to the loadFile, addImage, html, or addFont methods can read any file accessible to the Node.js process. This includes sensitive configuration files, source code, and potentially even credentials. The attacker can then embed these file contents verbatim into generated PDFs, potentially exposing confidential information. The affected files are dist/jspdf.node.js and dist/jspdf.node.min.js. This vulnerability is particularly concerning as it allows for local file inclusion, potentially leading to further compromise of the system.
This vulnerability was publicly disclosed on 2026-01-05. While no active exploitation campaigns have been publicly reported, the availability of a proof-of-concept could lead to exploitation. The CVSS score of 9.5 (CRITICAL) indicates a high probability of exploitation if the vulnerability is exposed. It's recommended to prioritize remediation.
Applications using the Node.js builds of jspdf (jspdf.node.js and jspdf.node.min.js) prior to version 4.0.0 are at risk. This includes web applications generating PDFs on the server-side, particularly those where user-supplied data is directly incorporated into the PDF generation process without proper sanitization.
• nodejs / server:
ps aux | grep node | grep jspdf• nodejs / server:
find / -name "jspdf.node.js" -o -name "jspdf.node.min.js"• nodejs / server:
journalctl -u node -f | grep -i "loadFile"disclosure
エクスプロイト状況
EPSS
0.02% (6% パーセンタイル)
CISA SSVC
The primary mitigation is to upgrade to jspdf version 4.0.0 or later, which addresses this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the paths passed to loadFile, addImage, html, and addFont to prevent path traversal attacks. Web application firewalls (WAFs) configured to detect and block path traversal attempts can also provide an additional layer of defense. Monitor Node.js application logs for suspicious file access patterns, particularly attempts to access files outside of expected directories.
jsPDF ライブラリをバージョン 4.0.0 以降にアップデートしてください。このバージョンでは、ファイルシステムへのアクセスがデフォルトで制限されます。アップデートできない場合は、Node.js (最近のバージョン) で `--permission` オプションを使用するか、jsPDF に渡す前にユーザーが提供するパスをサニタイズすることを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-68428 is a critical vulnerability allowing attackers to read arbitrary files from the local filesystem via the loadFile, addImage, html, and addFont methods in jspdf Node.js versions before 4.0.0.
You are affected if your application uses jspdf Node.js versions prior to 4.0.0 and allows user-controlled input to the loadFile, addImage, html, or addFont methods.
Upgrade to jspdf version 4.0.0 or later. If upgrading is not possible, implement strict input validation on paths passed to the vulnerable methods.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and the availability of a proof-of-concept suggest a potential for exploitation.
Refer to the jspdf project's repository or website for the official advisory and release notes regarding this vulnerability.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。