{"id":15428,"date":"2026-01-08T11:20:21","date_gmt":"2026-01-08T11:20:21","guid":{"rendered":"https:\/\/newestek.com\/?p=15428"},"modified":"2026-01-08T11:20:21","modified_gmt":"2026-01-08T11:20:21","slug":"critical-jspdf-vulnerability-enables-arbitrary-file-read-in-node-js-deployments","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15428","title":{"rendered":"Critical jsPDF vulnerability enables arbitrary file read in Node.js deployments"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A now-fixed critical flaw in the jsPDF <a href=\"https:\/\/github.com\/parallax\/jsPDF\" target=\"_blank\" rel=\"noreferrer noopener\">library<\/a> could enable attackers to extract sensitive files from enterprise servers and embed them directly into generated PDF documents.<\/p>\n<p>Tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-68428\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-68428<\/a>, the flaw affects unpatched Node.js deployments of jsPDF, where untrusted input is passed to file-handling APIs without proper validation.<\/p>\n<p>According to an Endor Labs analysis, the issue enables path traversal and local file inclusion, allowing an attacker to read arbitrary files from the underlying filesystem. In affected environments, this could expose credentials, configuration files, private keys, or environment variables.<\/p>\n<p>The vulnerability impacts jsPDF versions 3.0.4 and earlier, specifically the Node.js builds used in server-side PDF generation workflows, and does not affect browser-only usage.<\/p>\n<p>While a fix has been made available, Endor researchers warned that remediation goes beyond a simple version bump, particularly in production environments that rely on dynamic file handling. \u201cThe patch provides no protection if the runtime permits unrestricted filesystem access,\u201d Endor researchers said in a blog post.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>PDF library turns into a file exfiltration vector<\/h2>\n<p>The CVE-2025-68428 issue lies in how jsPDF handles file paths when loading external resources in <a href=\"https:\/\/www.csoonline.com\/article\/562547\/malicious-code-in-the-node-js-npm-registry-shakes-open-source-trust-model.html\">Node.js<\/a>. Several commonly used APIs, including \u201caddImage\u201d,\u201chtml\u201d, and \u201caddFont\u201d, internally rely on a \u201cloadFile()\u201d function to read files from disk. Prior to version 4.0.0, these methods did not adequately validate or restrict file paths supplied at runtime.<\/p>\n<p>If an application accepts user-controlled input, such as a filename, image path, or font reference, and passes it directly into these APIs, an attacker could supply a crafted path to reference sensitive application files. jsPDF would then read the file and embed its contents into the resulting PDF without triggering an error.<\/p>\n<p>Because the library does not enforce file-type restrictions at this stage, the issue is not limited to images or fronts. Any file readable by the Node.js process can potentially be included.<\/p>\n<p>The bug has been assigned a critical severity rating at a base CVSS score of 9.2 out of 10. Researchers urged upgrading to the fixed version immediately to protect against exploitation.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Patching may not be enough<\/h2>\n<p>The jsPDF maintainers addressed the issue in version 4.0.0 by restricting filesystem access by default. The fix relies on Node.js permission mode, which requires applications to explicitly grant read access to specific directories at runtime. When properly configured, this prevents jsPDF from accessing files outside approved paths.<\/p>\n<p>However, this approach introduces operational complexity. Node.js permission mode is evolving, and many production environments either run older Node versions or have not adopted permission-based execution. \u201cMany environments run older Node.js versions that lack stable permission mode support, and enabling \u2013permission may break existing functionality if filesystem access patterns haven\u2019t been carefully mapped,\u201d the researchers <a href=\"https:\/\/www.endorlabs.com\/learn\/cve-2025-68428-critical-path-traversal-in-jspdf\">noted<\/a>.<\/p>\n<p>The researchers outlined a set of steps to assess the exploitability of their deployments, which includes verifying if jsPDF is being used server-side ( as it is unexploitable on the client side), checking if the running version already implements permission mode and has filesystem permission properly configured, identifying affected code paths with SCA tools, and manual searching of the vulnerable codebase.<\/p>\n<p>Endor Labs credited security researcher Kwangwoon Kim (KilkAt) for identifying and reporting the vulnerability on <a href=\"https:\/\/github.com\/parallax\/jsPDF\/security\/advisories\/GHSA-f8cm-6447-x5h2\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A now-fixed critical flaw in the jsPDF library could enable attackers to extract sensitive files from enterprise servers and embed them directly into generated PDF documents. Tracked as CVE-2025-68428, the flaw affects unpatched Node.js deployments of jsPDF, where untrusted input is passed to file-handling APIs without proper validation. According to an Endor Labs analysis, the issue enables path traversal and local file inclusion, allowing an&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15428\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15428","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15428"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15428\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}