CVE-2025-29907
Published: 18 March 2025
Summary
CVE-2025-29907 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Parall Jspdf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 35.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of known flaws like CVE-2025-29907 in jsPDF versions prior to 3.0.1 to eliminate the resource exhaustion vulnerability.
Mandates validation and sanitization of user-supplied inputs such as image URLs and data-URLs passed to jsPDF methods to block malicious payloads causing CPU exhaustion.
Implements protections against denial-of-service attacks, including resource exhaustion from harmful data-URLs in jsPDF's addImage, html, and addSvgAsImage methods.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables crafted input to jsPDF methods causing resource exhaustion and DoS via application exploitation.
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to…
more
the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are html and addSvgAsImage. The vulnerability was fixed in jsPDF 3.0.1.
Deeper analysisAI
CVE-2025-29907 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 3.0.1. The vulnerability arises from user control over the first argument of the addImage method, which can lead to high CPU utilization and denial of service when unsanitized image URLs, such as harmful data-URLs, are passed to it. The html and addSvgAsImage methods are also affected. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWEs 400 (Uncontrolled Resource Consumption) and 770 (Allocation of Resources Without Limits or Throttling).
An attacker can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. By supplying a malicious data-URL to the affected methods in an application using vulnerable jsPDF versions, the attacker triggers excessive CPU consumption, resulting in denial of service that disrupts PDF generation and potentially impacts the hosting application's availability.
The vulnerability was fixed in jsPDF version 3.0.1. The GitHub security advisory (GHSA-w532-jxjh-hjhj) and the fixing commit (b167c43c27c466eb914b927885b06073708338df) detail the patch, recommending immediate upgrades to the patched version for mitigation.
Details
- CWE(s)