Cyber Resilience

CVE-2025-29907

HighPublic PoCDDoS

Published: 18 March 2025

Published
18 March 2025
Modified
22 September 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 64.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29907 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Parall Jspdf. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 35.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-29907 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 3.0.1. The vulnerability arises from user control over the first argument of the addImage method, which can lead to high CPU utilization and denial of service when unsanitized image URLs, such as harmful data-URLs, are passed to it. The html and addSvgAsImage methods are also affected. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWEs 400 (Uncontrolled Resource Consumption) and 770 (Allocation of Resources Without Limits or Throttling).

An attacker can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. By supplying a malicious data-URL to the affected methods in an application using vulnerable jsPDF versions, the attacker triggers excessive CPU consumption, resulting in denial of service that disrupts PDF generation and potentially impacts the hosting application's availability.

The vulnerability was fixed in jsPDF version 3.0.1. The GitHub security advisory (GHSA-w532-jxjh-hjhj) and the fixing commit (b167c43c27c466eb914b927885b06073708338df) detail the patch, recommending immediate upgrades to the patched version for mitigation.

EU & UK References

Vulnerability details

jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to…

more

the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are html and addSvgAsImage. The vulnerability was fixed in jsPDF 3.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables crafted input to jsPDF methods causing resource exhaustion and DoS via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25535Same product: Parall Jspdf
CVE-2026-25755Same product: Parall Jspdf
CVE-2026-25940Same product: Parall Jspdf
CVE-2026-24737Same product: Parall Jspdf
CVE-2026-31938Same product: Parall Jspdf
CVE-2025-68428Same product: Parall Jspdf
CVE-2026-31898Same product: Parall Jspdf
CVE-2026-25762Shared CWE-400, CWE-770
CVE-2026-25673Shared CWE-400, CWE-770
CVE-2026-40192Shared CWE-400, CWE-770

Affected Assets

parall
jspdf
≤ 3.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of known flaws like CVE-2025-29907 in jsPDF versions prior to 3.0.1 to eliminate the resource exhaustion vulnerability.

prevent

Mandates validation and sanitization of user-supplied inputs such as image URLs and data-URLs passed to jsPDF methods to block malicious payloads causing CPU exhaustion.

prevent

Implements protections against denial-of-service attacks, including resource exhaustion from harmful data-URLs in jsPDF's addImage, html, and addSvgAsImage methods.

References