A now-fixed critical flaw in the jsPDF library could enable attackers to extract sensitive files from enterprise servers and embed them directly into generated PDF documents.
Tracked as CVE-2025-68428, the flaw affects unpatched Node.js deployments of jsPDF, where untrusted input is passed to file-handling APIs without proper validation.
According to an Endor Labs analysis, the issue enables path traversal and local file inclusion, allowing an attacker to read arbitrary files from the underlying filesystem. In affected environments, this could expose credentials, configuration files, private keys, or environment variables.
The vulnerability impacts jsPDF versions 3.0.4 and earlier, specifically the Node.js builds used in server-side PDF generation workflows, and does not affect browser-only usage.
While a fix has been made available, Endor researchers warned that remediation goes beyond a simple version bump, particularly in production environments that rely on dynamic file handling. “The patch provides no protection if the runtime permits unrestricted filesystem access,” Endor researchers said in a blog post.
PDF library turns into a file exfiltration vector
The CVE-2025-68428 issue lies in how jsPDF handles file paths when loading external resources in Node.js. Several commonly used APIs, including “addImage”,“html”, and “addFont”, internally rely on a “loadFile()” function to read files from disk. Prior to version 4.0.0, these methods did not adequately validate or restrict file paths supplied at runtime.
If an application accepts user-controlled input, such as a filename, image path, or font reference, and passes it directly into these APIs, an attacker could supply a crafted path to reference sensitive application files. jsPDF would then read the file and embed its contents into the resulting PDF without triggering an error.
Because the library does not enforce file-type restrictions at this stage, the issue is not limited to images or fronts. Any file readable by the Node.js process can potentially be included.
The bug has been assigned a critical severity rating at a base CVSS score of 9.2 out of 10. Researchers urged upgrading to the fixed version immediately to protect against exploitation.
Patching may not be enough
The jsPDF maintainers addressed the issue in version 4.0.0 by restricting filesystem access by default. The fix relies on Node.js permission mode, which requires applications to explicitly grant read access to specific directories at runtime. When properly configured, this prevents jsPDF from accessing files outside approved paths.
However, this approach introduces operational complexity. Node.js permission mode is evolving, and many production environments either run older Node versions or have not adopted permission-based execution. “Many environments run older Node.js versions that lack stable permission mode support, and enabling –permission may break existing functionality if filesystem access patterns haven’t been carefully mapped,” the researchers noted.
The researchers outlined a set of steps to assess the exploitability of their deployments, which includes verifying if jsPDF is being used server-side ( as it is unexploitable on the client side), checking if the running version already implements permission mode and has filesystem permission properly configured, identifying affected code paths with SCA tools, and manual searching of the vulnerable codebase.
Endor Labs credited security researcher Kwangwoon Kim (KilkAt) for identifying and reporting the vulnerability on GitHub.
No Responses