jsPDF Flaw Lets Attackers Embed Local Files in PDFs

A critical path traversal vulnerability in jsPDF, a JavaScript library downloaded 3.5 million times weekly from npm, allows attackers to read arbitrary files from servers running Node.js applications. The flaw enables embedding sensitive data—configuration files, environment variables, credentials—directly into generated PDF documents.

Security researcher Kwangwoon Kim (kilkat) discovered CVE-2025-68428 and reported it through GitHub's security advisory process. The vulnerability affects all versions through 3.0.4 and carries a CVSS 4.0 score of 9.2.

How CVE-2025-68428 Works

The vulnerability exists in jsPDF's loadFile method within Node.js builds. When an application passes user-controlled input as a file path argument, the library reads that file from disk and incorporates its contents into the generated PDF output. There's no path sanitization—attackers can use directory traversal sequences like ../ to access files outside the intended directory.

Multiple methods are vulnerable:

• loadFile
• addImage
• html
• addFont

Consider a web application that lets users generate PDF reports with custom images. If the application passes user input directly to addImage without sanitization, an attacker could submit a path like ../../../etc/passwd and receive a PDF containing the server's password file.

The attack doesn't stop at reading files. Because the stolen data embeds in a PDF the application generates and returns, the attacker receives the exfiltrated information through the application's normal output channel. No separate data exfiltration infrastructure required.

Real-World Attack Scenarios

The vulnerability is most dangerous in applications that:

1. Generate PDFs with user-supplied content - Invoice generators, report builders, certificate creators
2. Allow custom images, fonts, or HTML - Any application accepting file paths from users
3. Run Node.js on the server side - Browser-based jsPDF usage is not affected

An attacker exploiting CVE-2025-68428 could steal:

• .env files containing API keys and database credentials
• SSH private keys
• Cloud provider credentials
• Internal configuration files revealing architecture details
• Source code and intellectual property

Why This Matters

jsPDF appears in dependency trees across countless Node.js applications. The npm package itself shows 3.5 million weekly downloads, but the true exposure includes every application and package that depends on it. Developers often include jsPDF to generate invoices, reports, or certificates without realizing the security implications of combining file system access with user input.

The vulnerability is particularly insidious because it doesn't crash the application or generate obvious errors. A successful attack produces a valid PDF document—it just contains additional content the developer never intended to include.

Affected Versions

• Vulnerable: jsPDF versions 0.0.1 through 3.0.4
• Fixed: jsPDF version 4.0.0 and later

The fix restricts filesystem access by default in Node.js builds. Applications requiring file system access must explicitly enable it and implement their own path validation.

Remediation Steps

1. Upgrade to jsPDF 4.0.0 or later - This is the primary fix
2. Enable Node.js permission mode - Use the --permission flag when running Node.js applications (stable since Node.js 22.13.0/23.5.0/24.0.0)
3. Sanitize user input - Never pass user-controlled strings directly to jsPDF file methods
4. Review dependencies - Check if any packages in your dependency tree include vulnerable jsPDF versions

For applications that cannot immediately upgrade, implement strict input validation on any paths passed to jsPDF methods. Reject inputs containing .., absolute paths, or characters that could enable traversal attacks.

Detection Guidance

Monitor for:

• Unusual file access patterns from Node.js processes
• PDF generation requests containing path traversal sequences
• Generated PDFs with unexpectedly large file sizes (may indicate embedded sensitive data)

Applications logging PDF generation requests should audit logs for path traversal attempts in file parameters.

The Broader Pattern

CVE-2025-68428 joins a growing list of vulnerabilities in popular npm packages that affect millions of applications through dependency chains. The LangChain secret theft vulnerability we covered recently demonstrated similar risks from AI framework dependencies.

JavaScript's npm ecosystem enables rapid development but distributes security risks across thousands of packages. When a foundational library like jsPDF contains a vulnerability, the blast radius extends to every application built on top of it. Security teams should prioritize dependency scanning and consider tools that track transitive dependencies for known vulnerabilities.