💣 deps: Upgrade dependency jspdf to v4 [SECURITY].#1305
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
💣 deps: Upgrade dependency jspdf to v4 [SECURITY].#1305renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
Bot
added
the
security
renovate
Bot
requested a review
from make-github-pseudonymous-again
as a code owner
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1305 +/- ##
==========================================
- Coverage 80.66% 80.57% -0.09%
==========================================
Files 844 844
Lines 14739 14739
Branches 1978 1978
==========================================
- Hits 11889 11876 -13
- Misses 2321 2328 +7
- Partials 529 535 +6
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
2 times, most recently
from
728d846 to
410f92f
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
2 times, most recently
from
410f92f to
c5c9685
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
2 times, most recently
from
c5c9685 to
ebc36db
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
from
4e54cb9 to
ebc36db
Compare
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
from
ebc36db to
4e54cb9
Compare
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
from
4e54cb9 to
3766ea3
Compare
make-github-pseudonymous-again
force-pushed
the
main
branch
from
81b11ce to
abad790
Compare
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
from
3766ea3 to
ad6b7e7
Compare
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
from
ad6b7e7 to
a0bdab4
Compare
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
from
a0bdab4 to
2d13688
Compare
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
from
2d13688 to
ce893de
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-jspdf-vulnerability
branch
2 times, most recently
from
ce893de to
1bd880f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^3.0.2→^4.0.0jsPDF has Local File Inclusion/Path Traversal vulnerability
CVE-2025-68428 / GHSA-f8cm-6447-x5h2
More information
Details
Impact
User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.
If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs.
Other affected methods are:
addImage,html,addFont.Only the node.js builds of the library are affected, namely the
dist/jspdf.node.jsanddist/jspdf.node.min.jsfiles.Example attack vector:
Patches
The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes.
Workarounds
With recent node versions, jsPDF recommends using the
--permissionflag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. See the node documentation for details.For older node versions, sanitize user-provided paths before passing them to jsPDF.
Credits
Researcher: kilkat (Kwangwoon Kim)
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF has Shared State Race Condition in addJS Plugin
CVE-2026-24040 / GHSA-cjw8-79x6-5cj4
More information
Details
Impact
The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests.
If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B.
Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side.
Patches
The vulnerability has been fixed in jspdf@4.0.1. The fix moves the shared variable into the function scope, ensuring isolation between instances.
Workarounds
Avoid using the addJS method in concurrent server-side environments. If usage is required, ensure requests are processed sequentially (e.g., using a queue) rather than in parallel.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)
CVE-2026-24043 / GHSA-vm32-vv63-w422
More information
Details
Impact
User control of the first argument of the
addMetadatafunction allows users to inject arbitrary XML.If given the possibility to pass unsanitized input to the
addMetadatamethod, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed.Example attack vector:
Patches
The vulnerability has been fixed in jsPDF@4.1.0
Workarounds
Sanitize user input before passing it to the
addMetadatamethod: escape XML entities. For example:Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder
CVE-2026-24133 / GHSA-95fx-jjr5-f39c
More information
Details
Impact
User control of the first argument of the
addImagemethod results in Denial of Service.If given the possibility to pass unsanitized image data or URLs to the
addImagemethod, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation.Other affected methods are:
html.Example attack vector:
Patches
The vulnerability has been fixed in jsPDF 4.1.0. Upgrade to jspdf@>=4.1.0.
Workarounds
Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution
CVE-2026-24737 / GHSA-pqxr-3g65-p328
More information
Details
Impact
User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are:
AcroformChoiceField.addOptionAcroformChoiceField.setOptionsAcroFormCheckBox.appearanceStateAcroFormRadioButton.appearanceStateExample attack vector:
Patches
The vulnerability has been fixed in jsPDF@4.1.0.
Workarounds
Sanitize user input before passing it to the vulnerable API members.
Credits
Research and fix: Ahmet Artuç
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
CVE-2026-25755 / GHSA-9vjf-qc39-jprp
More information
Details
Impact
User control of the argument of the
addJSmethod allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.Patches
The vulnerability has been fixed in jspdf@4.2.0.
Workarounds
Escape parentheses in user-provided JavaScript code before passing them to the
addJSmethod.References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
CVE-2026-25940 / GHSA-p5xg-68wr-hm3m
More information
Details
Impact
User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.
AcroformChildClass.appearanceStateExample attack vector:
Patches
The vulnerability has been fixed in jsPDF@4.2.0.
Workarounds
Sanitize user input before passing it to the vulnerable API members.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
CVE-2026-25535 / GHSA-67pg-wm7f-q7fj
More information
Details
Impact
User control of the first argument of the
addImagemethod results in denial of service.If given the possibility to pass unsanitized image data or URLs to the
addImagemethod, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.Other affected methods are:
html.Example attack vector:
Patches
The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.
Workarounds
Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF has a PDF Object Injection via FreeText color
CVE-2026-31898 / GHSA-7x6v-j9x4-qf24
More information
Details
Impact
User control of arguments of the
createAnnotationmethod allows users to inject arbitrary PDF objects, such as JavaScript actions.If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..
createAnnotation:colorparameterExample attack vector:
Patches
The vulnerability has been fixed in jsPDF@4.2.1.
Workarounds
Sanitize user input before passing it to the vulnerable API members.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jsPDF has HTML Injection in New Window paths
CVE-2026-31938 / GHSA-wfv2-pwc8-crg5
More information
Details
Impact
User control of the
optionsargument of theoutputfunction allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The affected overloads and options are:"pdfobjectnewwindow": thepdfObjectUrloption and the entire options object, which is JSON-serialized and included verbatim in the generated HTML-string."pdfjsnewwindow": thepdfJsUrlandfilenameoptions"dataurlnewwindow": thefilenameoptionThe vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context.
Example attack vector:
Patches
The vulnerability has been fixed in jspdf@4.2.1.
Workarounds
Sanitize user input before passing it to the output method.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
parallax/jsPDF (jspdf)
v4.2.1Compare Source
This release fixes two security issues.
What's Changed
Full Changelog: parallax/jsPDF@v4.2.0...v4.2.1
v4.2.0Compare Source
This release fixes three security issues.
What's Changed
New Contributors
Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0
v4.1.0Compare Source
This release fixes several security issues.
What's Changed
Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0
v4.0.0Compare Source
This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's
--permissionflag or the newjsPDF.allowFsReadproperty.There are no other breaking changes.
v3.0.4Compare Source
This release includes a bunch of bugfixes. Thanks to all contributors!
What's Changed
New Contributors
Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0
v3.0.3Compare Source
This release fixes regressions with PNG encoding that were introduced in v3.0.2.
What's Changed
New Contributors
Full Changelog: parallax/jsPDF@v3.0.2...v3.0.3
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.