Critical Local File Inclusion Vulnerability in jsPDF Library
A critical vulnerability, tracked as CVE-2025-68428, was discovered in the jsPDF library, which is widely used for generating PDFs in JavaScript applications. The flaw allows attackers to exploit local file inclusion and path traversal in the Node.js build of jsPDF by passing unsanitized paths to the loadFile method, potentially enabling unauthorized access to arbitrary files on the server. Other affected methods include addImage, html, and addFont, with the vulnerability present in the dist/jspdf.node.js and dist/jspdf.node.min.js files. The issue has been addressed in jsPDF version 4.0.0, which restricts file system access by default.
The vulnerability is remotely exploitable and poses a significant risk to applications that allow user-controlled input to these methods. jsPDF recommends updating to version 4.0.0 or later and, for older Node.js versions, sanitizing user-provided paths before use. Additionally, Node.js environments should leverage the --permission flag to further restrict file system access. Organizations using jsPDF in server-side environments are urged to review their implementations and apply the necessary updates or mitigations to prevent potential data breaches or unauthorized file access.
Timeline
Jan 5, 2026
jsPDF 4.0.0 released with file access restrictions by default
The vulnerability was fixed in jsPDF version 4.0.0 by restricting file system access by default in the affected Node.js builds. Suggested mitigations for users unable to upgrade included using Node.js permission controls or sanitizing user-supplied paths.
Jan 5, 2026
Critical path traversal flaw identified in jsPDF Node.js builds
CVE-2025-68428 was identified as a critical local file inclusion and path traversal vulnerability in jsPDF's Node.js builds, allowing attacker-controlled paths in methods such as loadFile to read arbitrary local files and embed their contents in generated PDFs. The issue affects dist/jspdf.node.js and dist/jspdf.node.min.js and is remotely exploitable without user interaction.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Critical Remote Code Execution Vulnerability in md-to-pdf via JavaScript Injection (CVE-2025-65108)
A critical vulnerability (CVE-2025-65108, CVSS 10.0) has been identified in the `md-to-pdf` tool, which is used to convert Markdown files to PDF using Node.js and headless Chrome. The flaw allows attackers to achieve remote code execution by injecting malicious JavaScript into the front-matter section of Markdown files, exploiting the way the gray-matter library parses these blocks. This vulnerability is remotely exploitable and poses a significant risk to any system processing untrusted Markdown files with affected versions of `md-to-pdf`. The issue has been addressed in version 5.2.5 of the `md-to-pdf` library, and users are strongly advised to update to this version to mitigate the risk. No specific affected product versions are listed, but the vulnerability impacts all prior versions that use the vulnerable parsing mechanism. Security advisories have been published to highlight the severity and exploitation potential of this flaw, emphasizing the need for immediate remediation in environments where Markdown-to-PDF conversion is automated or exposed to user-supplied content.
1 months ago
PDF Ecosystem Vulnerabilities Enable One-Click Attacks and PDF Object Injection
Security researchers reported multiple previously unknown weaknesses across the PDF ecosystem that can be exploited through crafted documents. Novee Security’s research into *Foxit* and *Apryse* PDF platforms described **13 vulnerability categories** and **16 exploit paths**, including **critical XSS** and **OS command injection**, with “one-click” scenarios where simply opening a document could trigger compromise and potentially enable account takeover or backend command execution. Separately, a high-severity flaw in the widely used *jsPDF* library was disclosed as **CVE-2026-25755** (CVSS **8.8**), enabling **PDF object injection** via improper sanitization in the `addJS` method. By breaking out of the `/JS (...)` string (e.g., injecting `) >> /Action ...`), an attacker can inject arbitrary PDF structures and actions such as `/OpenAction`, potentially triggering behavior even when JavaScript is disabled in the viewer and enabling document manipulation (e.g., altering `/Annots` or `/Signatures`) across different PDF viewers, including lightweight mobile/embedded parsers.
1 months ago
Foxit PDF Editor Cloud XSS Vulnerabilities Patched
Foxit released security updates for *Foxit PDF Editor Cloud* (and related *Foxit eSign* components) to address two **cross-site scripting (XSS)** flaws that could allow **arbitrary JavaScript execution** in a victim’s browser when handling crafted content. The issues are tracked as **CVE-2026-1591** and **CVE-2026-1592** (both **CWE-79**) and were attributed to insufficient input validation and improper output encoding that allowed untrusted data to be embedded into the application’s HTML. The vulnerable functionality includes the **File Attachments list** and **Layers panel**, where attackers could inject payloads via crafted attachment filenames or manipulated layer names inside PDFs, requiring **user interaction** (e.g., opening/interacting with malicious documents) and typically **authenticated** access. Both CVEs are rated **moderate severity** with **CVSS v3.0 6.3**; exploitation could expose sensitive information available to the user’s session (e.g., document contents and session data). Foxit’s guidance is to ensure affected services are updated; the most recent referenced update for PDF Editor Cloud was released **February 3, 2026**.
1 months ago