CVE-2025-29907 Overview
CVE-2025-29907 is a Denial of Service (DoS) vulnerability in jsPDF, a popular JavaScript library used to generate PDF documents. The vulnerability allows attackers to cause excessive CPU utilization by supplying a crafted data URL to the addImage method, leading to application unavailability and service disruption.
Critical Impact
Attackers can exploit unsanitized image URL inputs to cause resource exhaustion and denial of service in applications using jsPDF versions prior to 3.0.1.
Affected Products
- Parall jsPDF versions prior to 3.0.1
- Node.js applications using vulnerable jsPDF versions
- Web applications implementing jsPDF image handling functionality
Discovery Timeline
- 2025-03-18 - CVE-2025-29907 published to NVD
- 2025-09-22 - Last updated in NVD database
Technical Details for CVE-2025-29907
Vulnerability Analysis
This vulnerability (CWE-400: Uncontrolled Resource Consumption) exists in the data URL parsing logic of jsPDF's image handling methods. When user-controlled input is passed to the addImage, html, or addSvgAsImage methods without proper sanitization, attackers can craft malicious data URLs that trigger inefficient parsing operations. The original implementation used a regex-based extraction approach that performed poorly on adversarial inputs, consuming excessive CPU cycles and effectively rendering the application unresponsive.
The vulnerability is network-exploitable, requires no authentication or user interaction, and directly impacts application availability. Organizations running web applications that allow users to provide image URLs for PDF generation are particularly at risk.
Root Cause
The root cause lies in the extractImageFromDataUrl function within the src/modules/addimage.js module. The original implementation used an inefficient parsing strategy that split the data URL string and applied a complex regex pattern. This approach was susceptible to algorithmic complexity attacks where specially crafted inputs could cause the parsing logic to consume disproportionate CPU resources relative to input size.
Attack Vector
The attack vector is network-based, targeting applications that accept user-supplied image URLs for PDF generation. An attacker can submit a malicious data URL through any input mechanism that eventually reaches the vulnerable addImage, html, or addSvgAsImage methods. The attack requires no privileges or user interaction, making it highly accessible to remote attackers. A successful exploit results in CPU exhaustion, causing the affected application thread or process to become unresponsive.
* @name extractImageFromDataUrl
* @function
* @param {string} dataUrl a valid data URI of format 'data:[<MIME-type>][;base64],<data>'
- * @returns {Array}an Array containing the following
- * [0] the complete data URI
- * [1] <MIME-type>
- * [2] format - the second part of the mime-type i.e 'png' in 'image/png'
- * [4] <data>
+ * @returns {string} The raw Base64-encoded data.
*/
var extractImageFromDataUrl = (jsPDFAPI.__addimage__.extractImageFromDataUrl = function(
dataUrl
) {
- dataUrl = dataUrl || "";
- var dataUrlParts = dataUrl.split("base64,");
- var result = null;
+ if (dataUrl == null) {
+ return null;
+ }
- if (dataUrlParts.length === 2) {
- var extractedInfo = /^data:(\w*\/\w*);*(charset=(?!charset=)[\w=-]*)*;*$/.exec(
- dataUrlParts[0]
- );
- if (Array.isArray(extractedInfo)) {
- result = {
- mimeType: extractedInfo[1],
- charset: extractedInfo[2],
- data: dataUrlParts[1]
- };
Source: GitHub Commit Update
Detection Methods for CVE-2025-29907
Indicators of Compromise
- Abnormal CPU spikes in application servers or client browsers running jsPDF
- Unusually long response times for PDF generation endpoints
- Application threads becoming unresponsive during image processing operations
- Increased timeout errors in PDF generation workflows
Detection Strategies
- Monitor application performance metrics for sudden CPU utilization spikes during PDF generation
- Implement request logging to identify unusually large or malformed data URL inputs
- Set up alerting for PDF generation operations exceeding expected duration thresholds
- Audit application dependencies to identify vulnerable jsPDF versions using software composition analysis tools
Monitoring Recommendations
- Deploy application performance monitoring (APM) to track PDF generation endpoint latency
- Configure resource usage alerts for Node.js processes handling PDF operations
- Log and analyze input patterns to addImage, html, and addSvgAsImage method calls
- Implement rate limiting on PDF generation endpoints to mitigate abuse attempts
How to Mitigate CVE-2025-29907
Immediate Actions Required
- Upgrade jsPDF to version 3.0.1 or later immediately
- Review application code for user-controlled inputs passed to addImage, html, or addSvgAsImage methods
- Implement input validation and sanitization for all image URL inputs before passing to jsPDF
- Consider implementing request timeouts for PDF generation operations as a defense-in-depth measure
Patch Information
The vulnerability was fixed in jsPDF version 3.0.1. The patch improves the performance and security of data URL parsing in the addImage module by replacing the vulnerable regex-based extraction with a more efficient parsing approach. The fix is available in commit b167c43c27c466eb914b927885b06073708338df. Organizations should update their dependencies via npm or yarn package managers.
For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Validate and sanitize all user-supplied image URLs before processing with jsPDF
- Restrict accepted image formats to known safe MIME types
- Implement server-side timeouts for PDF generation operations
- Consider moving PDF generation to isolated worker processes or containers to limit DoS impact
# Upgrade jsPDF to patched version
npm update jspdf@3.0.1
# Or install specifically
npm install jspdf@^3.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
