Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68428

CVE-2025-68428: jsPDF Path Traversal Vulnerability

CVE-2025-68428 is a path traversal vulnerability in jsPDF that allows attackers to access arbitrary local files through unsanitized paths. This article covers technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-68428 Overview

CVE-2025-68428 is a critical Local File Inclusion (LFI) and Path Traversal vulnerability affecting jsPDF, a popular JavaScript library used to generate PDF documents. Prior to version 4.0.0, the library's loadFile method in the Node.js build allows attackers to read arbitrary files from the local file system when user-controlled input is passed without proper sanitization.

This vulnerability enables attackers to retrieve sensitive file contents from any location accessible to the Node.js process, with the extracted data being included verbatim in generated PDF documents. Additional affected methods include addImage, html, and addFont, expanding the attack surface for exploitation.

Critical Impact

Attackers can exfiltrate sensitive files from the server's file system, potentially exposing configuration files, credentials, application source code, and other confidential data through generated PDF documents.

Affected Products

  • jsPDF versions prior to 4.0.0 (Node.js builds only)
  • dist/jspdf.node.js distribution file
  • dist/jspdf.node.min.js distribution file

Discovery Timeline

  • 2026-01-05 - CVE CVE-2025-68428 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-68428

Vulnerability Analysis

This vulnerability stems from improper path validation in the jsPDF Node.js build, specifically classified under CWE-35 (Path Traversal). When an application passes user-controlled input to the loadFile method without sanitization, an attacker can supply path traversal sequences to access files outside the intended directory.

The vulnerability specifically affects the Node.js builds of jsPDF because these builds have direct file system access capabilities, unlike browser-based JavaScript environments that operate within a sandboxed context. The file contents retrieved through this vulnerability are embedded directly into the generated PDF output, making this an effective data exfiltration technique.

Multiple entry points exist for exploitation, including the primary loadFile method as well as addImage, html, and addFont methods, all of which can be leveraged to read arbitrary files when accepting unsanitized user input.

Root Cause

The root cause is insufficient input validation and path sanitization in the jsPDF Node.js build. The library did not implement proper security controls to restrict file system access to authorized directories. When the loadFile method or related functions receive a file path argument, they directly access the file system without verifying that the requested path remains within expected boundaries.

This architectural decision to allow unrestricted file system access in a library that may process user-provided input creates a significant security risk in applications that do not implement their own path validation.

Attack Vector

The attack is network-accessible, requiring no authentication or user interaction. An attacker who can influence the file path argument passed to vulnerable jsPDF methods can:

  1. Supply path traversal sequences (e.g., ../../../etc/passwd) to escape intended directories
  2. Read sensitive files accessible to the Node.js process user
  3. Exfiltrate the file contents through the generated PDF document

The vulnerability manifests when applications integrate jsPDF and pass user-controlled data to the loadFile, addImage, html, or addFont methods without proper sanitization. See the GitHub Security Advisory for detailed technical information.

Detection Methods for CVE-2025-68428

Indicators of Compromise

  • Unexpected file system access from Node.js processes running jsPDF
  • PDF generation requests containing path traversal patterns such as ../ or absolute paths
  • Access attempts to sensitive system files like /etc/passwd, /etc/shadow, or application configuration files
  • Unusual patterns in web server logs showing path traversal sequences in PDF-related endpoints

Detection Strategies

  • Implement application-level logging for all file path arguments passed to jsPDF methods
  • Deploy Web Application Firewall (WAF) rules to detect path traversal patterns in request parameters
  • Monitor process-level file system access for anomalous patterns using endpoint detection tools
  • Review generated PDF documents for unexpected embedded content

Monitoring Recommendations

  • Enable audit logging for file system access in production Node.js environments
  • Configure SIEM rules to alert on path traversal sequences in application logs
  • Implement file integrity monitoring on sensitive configuration directories
  • Use SentinelOne's Singularity platform to monitor for suspicious file access patterns from Node.js processes

How to Mitigate CVE-2025-68428

Immediate Actions Required

  • Upgrade to jsPDF version 4.0.0 or later immediately
  • Audit all code paths where user input may reach jsPDF file loading methods
  • Implement strict input validation and path sanitization for any user-provided file paths
  • Review generated PDFs for any evidence of unauthorized file content exfiltration

Patch Information

The vulnerability has been fixed in jsPDF version 4.0.0, which restricts file system access by default. This semver-major update does not introduce other breaking changes beyond the security hardening. The fix is available in the v4.0.0 release, with implementation details visible in the security commit.

Workarounds

  • For Node.js v20.0.0+, use the experimental --permission flag to restrict file system access
  • For Node.js v22.13.0, v23.5.0, or v24.0.0 and later, the permission model is stable and recommended for production use
  • Implement server-side input validation to sanitize all user-provided paths before passing to jsPDF
  • Use allowlist validation to restrict file paths to known-safe directories only
  • Consider running the Node.js process with minimal file system permissions
bash
# Configuration example for Node.js permission model (v22.13.0+)
# Start Node.js with restricted file system permissions
node --permission --allow-fs-read=/app/allowed-assets/ your-app.js

# For older Node.js versions, implement path sanitization
# Ensure all user inputs are validated against an allowlist
# Example: only allow paths within /app/uploads/ directory

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne