CVE-2025-68428
9.2
Hot Off the Press: Exfiltrating Server Secrets via jsPDF
Amit Schendel
Senior Security ResearcherJan 6, 2026·7 min read·13 visits
No Known Exploit
Executive Summary (TL;DR)
jsPDF, the ubiquitous JavaScript PDF generation library, has a massive hole in its Node.js implementation. Versions prior to 4.0.0 fail to validate file paths passed to methods like `addImage`. This allows an attacker to supply a path like `../../etc/passwd`, causing the server to read that file and helpfuly render its contents directly into a PDF, which can then be downloaded. It's essentially a 'Download Server Secrets as PDF' button.
A critical Local File Inclusion (LFI) vulnerability in the Node.js builds of jsPDF allows attackers to embed arbitrary local files (like /etc/passwd) into generated PDFs. The flaw stems from insufficient path validation in the file loading mechanism.
Fix Analysis (1)
Technical Appendix
CVSS Score
9.2/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:NAffected Systems
Node.js applications using jsPDF < 4.0.0Server-side PDF generation services
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
jsPDF Parallax | < 4.0.0 | 4.0.0 |
| Attribute | Detail |
|---|---|
| CVSS v4.0 | 9.2 (Critical) |
| Attack Vector | Network (AV:N) |
| CWE ID | CWE-35 (Path Traversal) |
| CWE ID | CWE-73 (External Control of File Name) |
| Impact | High Confidentiality Loss |
| Privileges Required | None (PR:N) |
| User Interaction | None (UI:N) |
MITRE ATT&CK Mapping
CWE-35
Path Traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Patch Committed & v4.0.0 Released
2025-12-18
GHSA and CVE Published
2026-01-05