A critical-severity vulnerability not too long ago patched within the jsPDF library might enable attackers to learn delicate data, together with configuration recordsdata and credentials, Endor Labs warns.
A preferred NPM package deal with greater than 3.5 million downloads per week, jsPDF helps the creation of PDF paperwork in JavaScript purposes.
The flaw, tracked as CVE-2025-68428 (CVSS rating of 9.2), is a neighborhood file inclusion/path traversal subject within the library’s loadFile methodology.
As a result of user-controlled enter is handed as a file path argument, jsPDF reads the desired file and consists of its content material within the PDF output.
“If given the chance to move unsanitized paths to the loadFile methodology, a consumer can retrieve file contents of arbitrary recordsdata within the native file system the node course of is working in. The file contents are included verbatim within the generated PDFs,” jsPDF’s maintainers clarify in an advisory.
Public-facing strategies that internally name loadFile and could possibly be abused as assault vectors embody addImage, html, and addFont.Commercial. Scroll to proceed studying.
Solely the Node.js builds of jsPDF are impacted by the flaw, which was addressed in jsPDF model 4.0.0 by proscribing file entry by default.
Based on Endor Labs, an attacker might exploit the vulnerability to reveal configuration recordsdata, credentials, atmosphere variables, and the contents of another file that the Node.js course of can entry.
“The library reads no matter file path is supplied and embeds the uncooked content material. Path traversal sequences enable studying recordsdata exterior the supposed listing scope. This turns into externally exploitable when a user-controlled worth is handed to the primary parameter throughout the impacted strategies,” Endor Labs says.
To resolve the vulnerability, customers ought to replace to jsPDF model 4.0.0 and leverage Node’s permission flags to implement entry to particular recordsdata solely.
“In case you improve to jsPDF 4.0.0 however configure Node.js with broad learn permissions to maintain the appliance working, you stay weak,” Endor Labs explains.
Associated: Essential HPE OneView Vulnerability Exploited in Assaults
Associated: Vulnerability in Totolink Vary Extender Permits Machine Takeover
Associated: JumpCloud Distant Help Vulnerability Can Expose Techniques to Takeover
Associated: Current GeoServer Vulnerability Exploited in Assaults
