CVE-2026-24133 Overview
CVE-2026-24133 is a Denial of Service vulnerability affecting jsPDF, a popular JavaScript library used to generate PDF documents in client-side and server-side environments. The vulnerability stems from improper handling of user-controlled input in the addImage method, which can be exploited to cause out-of-memory errors and application crashes.
When an attacker provides a specially crafted BMP file with excessively large width and/or height values in its header, the library attempts to allocate memory proportional to these dimensions without proper validation. This can lead to memory exhaustion and denial of service conditions. The html method is also affected as it internally processes images.
Critical Impact
Applications using jsPDF versions prior to 4.1.0 that allow user-controlled image uploads or URL inputs to the addImage method are vulnerable to denial of service attacks through memory exhaustion.
Affected Products
- jsPDF versions prior to 4.1.0
- Applications using the addImage method with unsanitized user input
- Applications using the html method to process user-controlled content
Discovery Timeline
- 2026-02-02 - CVE-2026-24133 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-24133
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in the BMP image parsing logic within jsPDF, which reads width and height values directly from the BMP file header and uses these values to allocate memory buffers without implementing reasonable limits or sanity checks.
BMP files store dimension information in their header structure, and these values can be arbitrarily large (up to 32-bit integers). When jsPDF processes such a file, it attempts to create image buffers sized according to these header values. A malicious BMP file claiming dimensions of millions of pixels can trigger allocation requests for gigabytes of memory, causing the JavaScript runtime to exhaust available memory.
The attack surface includes any application endpoint that accepts image data or URLs from users and passes them to jsPDF's addImage or html methods. This is particularly concerning for web applications that generate PDFs from user-submitted content.
Root Cause
The root cause is the absence of input validation for BMP image dimensions before memory allocation. The library trusts the dimension values provided in the BMP header without verifying they fall within reasonable bounds. This violates the principle of defensive programming where untrusted input should always be validated before resource allocation.
Attack Vector
The attack can be executed remotely over the network without authentication or user interaction. An attacker needs only to provide a malicious BMP file or URL pointing to one. The attack requires:
- A target application using jsPDF prior to version 4.1.0
- User input that reaches the addImage or html methods
- A crafted BMP file with large dimension values in its header
The malicious BMP file itself can be extremely small in actual file size (just a few bytes for the header) while claiming enormous dimensions. When processed, the library attempts to allocate memory based on the claimed dimensions rather than the actual file size, leading to memory exhaustion.
Detection Methods for CVE-2026-24133
Indicators of Compromise
- Sudden memory spikes in applications using jsPDF for PDF generation
- Application crashes or unresponsive states during image processing operations
- BMP files with unusually large dimension values in headers (width or height exceeding reasonable bounds)
- Error logs showing out-of-memory exceptions in PDF generation contexts
Detection Strategies
- Monitor application memory usage patterns during PDF generation operations
- Implement server-side validation of image dimensions before passing to jsPDF
- Use application performance monitoring (APM) tools to detect unusual memory allocation patterns
- Review incoming file uploads for BMP files with suspicious header values
Monitoring Recommendations
- Set up alerts for memory usage thresholds in services that generate PDFs
- Log all image processing operations with dimension metadata for forensic analysis
- Monitor for repeated failed PDF generation attempts from single sources
- Implement rate limiting on PDF generation endpoints to mitigate automated attacks
How to Mitigate CVE-2026-24133
Immediate Actions Required
- Upgrade jsPDF to version 4.1.0 or later immediately
- Audit all code paths where user input reaches addImage or html methods
- Implement server-side validation of image dimensions before processing
- Consider restricting accepted image formats if BMP support is not required
Patch Information
The vulnerability has been fixed in jsPDF version 4.1.0. The fix implements proper bounds checking for BMP image dimensions before memory allocation. Organizations should upgrade to this version or later as soon as possible.
For detailed information about the fix, refer to:
Workarounds
- Disable BMP image support if not required by your application
- Implement a pre-processing step that validates image dimensions before passing to jsPDF
- Use a web application firewall (WAF) to filter requests containing BMP files with abnormal headers
- Implement memory limits or sandboxing for PDF generation processes to contain potential impact
# Example: Update jsPDF using npm
npm update jspdf@4.1.0
# Verify installed version
npm list jspdf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
