CVE-2025-68428
CVE-2025-68428 is a high-severity vulnerability in Parall Jspdf with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-35.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v4: 9.2
- EPSS exploit prediction: 2% (79th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-0847
- Weakness: CWE-35
- Affected product: Parall Jspdf
- Published:
- Last modified:
Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in [email protected]. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
Frequently asked questions
- What is CVE-2025-68428?
- jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in [email protected]. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
- How severe is CVE-2025-68428?
- CVE-2025-68428 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2025-68428 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (79th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-68428?
- CVE-2025-68428 affects Parall Jspdf. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-68428?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-68428 have an EU (EUVD) identifier?
- Yes. CVE-2025-68428 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-0847.
- When was CVE-2025-68428 published?
- CVE-2025-68428 was published on 2026-01-05 and last updated on 2026-06-30.
References
- https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d
- https://github.com/parallax/jsPDF/releases/tag/v4.0.0
- https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2
- https://access.redhat.com/errata/RHSA-2026:1517
- https://access.redhat.com/errata/RHSA-2026:2350
- https://access.redhat.com/errata/RHSA-2026:2568
- https://access.redhat.com/security/cve/CVE-2025-68428
- https://bugzilla.redhat.com/show_bug.cgi?id=2427236
- https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-68428.json
Affected products (1)
- cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*
More vulnerabilities in Parall Jspdf
- CVE-2026-31938 — Critical (CVSS 9.6): jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of…
- CVE-2026-31898 — High (CVSS 8.1): jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the…
- CVE-2026-25940 — High (CVSS 8.1): jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the…
- CVE-2026-25755 — High (CVSS 8.1): jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method…
- CVE-2026-24737 — High (CVSS 8.1): jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the…
- CVE-2026-25535 — High (CVSS 7.5): jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage`…
All CVEs affecting Parall Jspdf →
Other CWE-35 vulnerabilities
- CVE-2025-59793 — Critical (CVSS 9.9): Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to…
- CVE-2026-6074 — Critical (CVSS 9.8): Intrado 911 Emergency Gateway (EGW) 5.x, 6.x, and 7.x contain a path traversal vulnerability in the…
- CVE-2025-41723 — Critical (CVSS 9.8): The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the…
- CVE-2025-42937 — Critical (CVSS 9.8): SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An…
- CVE-2025-30515 — Critical (CVSS 9.8): CyberData 011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations…
- CVE-2026-52703 — Critical (CVSS 9.6): Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.