External risk intelligence

jsPDF Node.js Local File Inclusion Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2025-68428

The vulnerability exists in a Node.js library used for PDF generation. While it could theoretically be integrated into a web-facing application, the vulnerable functionality requires an application to pass unsanitized, user-controlled input into specific library methods. This is an indirect exposure pattern rather than a service that is internet-facing by design.

Path Traversal

Parall Jspdf

before 4.0.0

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a widely used JavaScript library for generating PDFs. If improperly handled, it could allow unauthorized access to local files on the server where the library is running, with the contents embedded directly into generated PDF documents. The primary concern at this time is to confirm if this library is in use and if the vulnerable functionality is exposed.

  • Local files could be exposed in PDFs.
  • Matters if the PDF library is integrated.
  • Confirm relevance and assess any exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a Node.js application that uses the jsPDF library into processing a specially crafted input. If the application improperly handles user-supplied data and passes it directly to the `loadFile` method, the attacker could manipulate the input to read arbitrary files from the server's file system. The content of these files would then be embedded into the generated PDF documents.

  • Unsanitized user input to `loadFile`.
  • Crafted input to `loadFile` method.
  • Arbitrary local file reading.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, the Node.js build of the jsPDF library could allow attackers to include the contents of arbitrary local files within generated PDFs. This occurs when unsanitized user input is passed to the `loadFile`, `addImage`, `html`, or `addFont` methods, enabling path traversal to access and embed file data.

  • Local files in the Node.js process.
  • Unsanitized user input to library methods.
  • Arbitrary file contents embedded in PDFs.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the jsPDF library's Node.js builds affects applications that allow user-controlled input to dictate file paths. Application owners or the development teams responsible for integrating jsPDF are likely to own this issue. The first practical step is to identify all Node.js applications using jsPDF, determine if they pass unsanitized paths to the `loadFile`, `addImage`, `html`, or `addFont` methods, and confirm network exposure or business criticality.

  • Identify accountable application owners.
  • Verify unsanitized path usage.
  • Plan remediation or risk reduction.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is jsPDF and how is it used?

jsPDF is a JavaScript library designed to generate PDF documents. It is frequently utilized in Node.js environments to automate the creation of reports, invoices, or other documents on the server side by programmatically defining the layout and content.

What is the vulnerability in CVE-2025-68428?

This is a path traversal vulnerability (CWE-22) affecting the Node.js build of jsPDF. It occurs when the library's methods, such as loadFile, receive unsanitized user input. This allows the software to be tricked into reading unintended files from the server's local file system and embedding their contents directly into a generated PDF.

How can an attacker trigger this CVE-2025-68428 issue?

An attacker triggers this by providing malicious, unsanitized file paths to specific library methods like loadFile, addImage, html, or addFont. This issue does not occur if the application restricts file system access or only passes hard-coded, trusted paths to these methods.

Do I need to worry about this if my app is internal?

Yes. Halo Surface Signal notes this as an indirect exposure, meaning it depends on how your application handles input. Even for internal applications, if a user can control the input sent to these library methods, they may be able to read sensitive server files. Publicly facing applications simply carry a higher potential for such malicious input.

What is the first step to address CVE-2025-68428?

The primary step is to upgrade jsPDF to version 4.0.0 or later, which restricts file system access by default. If an immediate upgrade is not possible, ensure all user-provided paths are rigorously sanitized before being passed to the library, or use the Node.js --permission flag in production to limit file access.

References