Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2026-0847 (jsPDF Local File Inclusion/Path Traversal Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
EUVD ID: EUVD-2026-0847
CVE ID: CVE-2025-68428
CVSS v4.0 Base Score: 9.2 (Critical)
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Severity Breakdown
- Attack Vector (AV:N): Network-exploitable, meaning an attacker can trigger the vulnerability remotely without physical or local access.
- Attack Complexity (AC:L): Low complexity; exploitation does not require specialized conditions.
- Attack Requirements (AT:N): No additional requirements (e.g., user interaction) are needed.
- Privileges Required (PR:N): No privileges are required; unauthenticated attackers can exploit the flaw.
- User Interaction (UI:N): No user interaction is necessary.
- Vulnerable Component (VC:H): High impact on the vulnerable component (jsPDF), allowing arbitrary file reads.
- Integrity Impact (VI:N): No direct integrity impact (file contents are read, not modified).
- Availability Impact (VA:N): No direct availability impact (no denial-of-service).
- Subsequent Confidentiality Impact (SC:H): High confidentiality impact due to unauthorized file access.
- Subsequent Integrity Impact (SI:N): No subsequent integrity impact.
- Subsequent Availability Impact (SA:N): No subsequent availability impact.
Conclusion: This is a critical-severity vulnerability due to its remote exploitability, low attack complexity, and high confidentiality impact, enabling attackers to exfiltrate sensitive files from affected systems.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Scenario
The vulnerability arises from unsanitized user input being passed to the loadFile method (and other affected methods: addImage, html, addFont) in jsPDF’s Node.js builds. An attacker can manipulate file paths to perform local file inclusion (LFI) and path traversal attacks, retrieving arbitrary files from the server’s filesystem.
Exploitation Steps
-
Identify a Vulnerable Endpoint:
- The attacker locates a web application or API that uses jsPDF < 4.0.0 in a Node.js environment and accepts user-controlled input for PDF generation (e.g., dynamic PDF reports, invoices, or document generation).
-
Craft Malicious Input:
- The attacker submits a path traversal payload (e.g.,
../../../../etc/passwd) as the first argument toloadFile,addImage, or similar methods. - Example payload:
const { jsPDF } = require('jspdf'); const doc = new jsPDF(); doc.loadFile('../../../../etc/passwd', (data) => { doc.text(data, 10, 10); doc.save('malicious.pdf'); });
- The attacker submits a path traversal payload (e.g.,
-
File Exfiltration:
- The vulnerable jsPDF instance reads the file and embeds its contents into the generated PDF.
- The attacker retrieves the PDF (e.g., via a download link or API response) and extracts the file contents.
Attack Surface
- Web Applications: Any Node.js-based web app using jsPDF for PDF generation (e.g., reporting tools, document management systems).
- APIs: REST or GraphQL APIs that accept user input for PDF generation.
- Server-Side Scripts: Automated scripts that generate PDFs from user-provided data.
Mitigating Factors
- Browser-Based jsPDF: Only Node.js builds (
dist/jspdf.node.js,dist/jspdf.node.min.js) are affected; client-side (browser) usage is not vulnerable. - File System Permissions: Exploitation is limited to files accessible by the Node.js process (e.g.,
/etc/passwdon Linux,C:\Windows\win.inion Windows). - Output Control: The attacker must have a way to retrieve the generated PDF (e.g., via a download link or API response).
3. Affected Systems and Software Versions
Vulnerable Versions
- jsPDF < 4.0.0 (all versions prior to the fix).
- Affected Files:
dist/jspdf.node.jsdist/jspdf.node.min.js
Non-Vulnerable Versions
- jsPDF ≥ 4.0.0 (fixed version).
- Browser-based jsPDF (not affected).
Dependency Chain Risks
- Applications using bundlers (Webpack, Rollup, esbuild) that include the Node.js build of jsPDF may inadvertently expose the vulnerability.
- Serverless functions (AWS Lambda, Vercel, Cloudflare Workers) running Node.js with jsPDF are at risk if they process user-controlled input.
4. Recommended Mitigation Strategies
Primary Mitigation: Upgrade jsPDF
- Immediate Action: Upgrade to jsPDF 4.0.0 or later, which restricts file system access by default.
npm install jspdf@latest
Workarounds (If Upgrade is Not Feasible)
-
Node.js Permissions Flag (Recommended for Node ≥ 20.0.0)
- Run the Node.js process with the
--allow-fs-readflag to restrict file system access:node --allow-fs-read=/safe/directory app.js - Note: This requires Node.js v20.0.0+ (experimental) or v22.13.0+/v23.5.0+/v24.0.0+ (stable).
- Run the Node.js process with the
-
Input Sanitization
- Whitelist allowed file paths and reject any input containing path traversal sequences (
../,~/,\). - Example sanitization:
function sanitizePath(input) { if (/(\.\.|\~|\\)/g.test(input)) { throw new Error("Invalid path: path traversal detected"); } return path.normalize(input).replace(/^(\.\.(\/|\\|$))+/, ''); }
- Whitelist allowed file paths and reject any input containing path traversal sequences (
-
Isolate PDF Generation
- Run PDF generation in a sandboxed environment (e.g., Docker container with restricted filesystem access).
- Use serverless functions with minimal permissions (e.g., AWS Lambda with a read-only filesystem).
-
Disable Node.js Builds
- Replace
jspdf.node.jswith the browser build (jspdf.min.js) if server-side PDF generation is not required.
- Replace
Detection and Monitoring
- Static Analysis: Use tools like Snyk, Dependabot, or npm audit to detect vulnerable jsPDF versions.
- Runtime Monitoring: Log and alert on suspicious file access patterns (e.g., attempts to read
/etc/passwd). - Network Inspection: Monitor for unusual PDF download requests (e.g., large file sizes indicating embedded sensitive data).
5. Impact on the European Cybersecurity Landscape
Regulatory and Compliance Risks
- GDPR (General Data Protection Regulation):
- Unauthorized access to sensitive files (e.g., PII, financial records) could lead to data breaches, triggering GDPR Article 33 (72-hour breach notification) and potential fines up to €20 million or 4% of global revenue.
- NIS2 Directive (Network and Information Security):
- Critical infrastructure operators (e.g., energy, healthcare, finance) using vulnerable jsPDF instances may face enhanced scrutiny and mandatory reporting requirements.
- DORA (Digital Operational Resilience Act):
- Financial entities must ensure third-party risk management; jsPDF as a dependency introduces supply chain risks.
Sector-Specific Risks
| Sector | Potential Impact |
|---|---|
| Government | Exposure of classified documents, citizen data, or internal policies. |
| Healthcare | Unauthorized access to patient records (EHRs), violating HIPAA/GDPR. |
| Finance | Theft of financial reports, transaction logs, or customer data. |
| Critical Infrastructure | Disruption of operational documents (e.g., SCADA configurations, network diagrams). |
| E-Commerce | Exposure of customer orders, payment details, or internal business documents. |
Threat Actor Motivations
- Cybercriminals: Exfiltrate sensitive data for extortion (ransomware), fraud, or sale on dark web markets.
- State-Sponsored Actors: Target government or critical infrastructure for espionage or sabotage.
- Hacktivists: Leak documents to embarrass organizations or expose misconduct.
European CERT/CSIRT Response
- ENISA (European Union Agency for Cybersecurity): Likely to issue advisories and coordinate vulnerability disclosure across member states.
- National CERTs (e.g., CERT-EU, BSI, ANSSI): May release patches, detection rules, and mitigation guidance for affected organizations.
- Threat Intelligence Sharing: Platforms like MISP may distribute IOCs (Indicators of Compromise) related to exploitation attempts.
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerability Type: Local File Inclusion (LFI) / Path Traversal (CWE-22, CWE-23)
- Affected Code: The
loadFilemethod injspdf.node.jsdoes not validate or sanitize file paths before reading them. - Patch Analysis (Commit
a688c8f479929b24a6543b1fa2d6364abb03066d):- Restricted File System Access: Default behavior now prevents arbitrary file reads.
- Whitelist-Based Path Resolution: Only allows access to explicitly permitted directories.
- Error Handling: Throws exceptions for invalid paths instead of silently failing.
Exploitation Proof of Concept (PoC)
// Malicious payload to read /etc/passwd
const { jsPDF } = require('jspdf');
const doc = new jsPDF();
doc.loadFile('../../../../etc/passwd', (data) => {
doc.text(data, 10, 10);
doc.save('exploit.pdf'); // Contains /etc/passwd contents
});
Forensic Indicators of Compromise (IOCs)
| Indicator | Description |
|---|---|
| File Access Logs | Unusual reads of /etc/passwd, /etc/shadow, C:\Windows\win.ini, etc. |
| PDF Metadata | Embedded file contents in PDFs (e.g., obj <</Type /EmbeddedFile>>). |
| Network Traffic | Large PDF downloads (indicating embedded sensitive data). |
| Process Activity | Node.js process accessing unexpected files (monitor with strace or ProcMon). |
Detection Rules (SIEM/SOAR)
- Splunk:
index=web sourcetype=access_* uri_path="*jspdf*" OR uri_query="*loadFile*" | regex uri_query=".*(\.\./|\~|\\\\).*" | stats count by clientip, uri_query - Sigma Rule (YAML):
title: Suspicious jsPDF Path Traversal Attempt id: 1a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6 status: experimental description: Detects path traversal attempts in jsPDF loadFile calls references: - https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2 author: EUVD Monitoring Team date: 2026/01/05 logsource: category: webserver product: nodejs detection: selection: cs-uri-query|contains: - '../' - '..\\' - '~/' - '\\' condition: selection falsepositives: - Legitimate file paths with similar patterns level: high
Hardening Recommendations
- Least Privilege Principle:
- Run Node.js processes with minimal filesystem permissions (e.g.,
chroot,seccomp).
- Run Node.js processes with minimal filesystem permissions (e.g.,
- Network Segmentation:
- Isolate PDF generation services in a DMZ or private subnet.
- Runtime Application Self-Protection (RASP):
- Deploy RASP solutions (e.g., Sqreen, Contrast Security) to block path traversal attempts.
- File Integrity Monitoring (FIM):
- Monitor critical files (e.g.,
/etc/passwd, configuration files) for unauthorized access.
- Monitor critical files (e.g.,
Conclusion
EUVD-2026-0847 represents a critical-severity vulnerability in jsPDF’s Node.js builds, enabling remote file exfiltration via path traversal. Organizations must immediately upgrade to jsPDF 4.0.0 or implement workarounds (sanitization, Node.js permissions) to mitigate risk. Given the GDPR and NIS2 implications, European entities should prioritize patching and monitor for exploitation attempts. Security teams should audit dependencies, deploy detection rules, and harden Node.js environments to prevent abuse.
For further details, refer to the official advisories: