Cyber Resilience

CVE-2025-68428

CriticalUpdated

Published: 05 January 2026

Published
05 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0128 66.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-68428 is a critical-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Parall Jspdf. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 33.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68428 is a path traversal vulnerability (CWE-22, CWE-35, CWE-73) in the jsPDF JavaScript library for generating PDFs, affecting only the Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0. It arises from user-controlled input to the first argument of the loadFile method, as well as the addImage, html, and addFont methods, enabling local file inclusion. This allows retrieval of arbitrary file contents from the local file system where the Node.js process is running, with the contents embedded verbatim into generated PDFs.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely over a network by unauthenticated attackers with low complexity and no user interaction required. An attacker who can supply unsanitized paths to the affected methods—such as through a web application or server-side script using jsPDF—can read sensitive files like configuration data, credentials, or source code, leaking their contents via the output PDF.

Mitigation is addressed in jsPDF version 4.0.0, a semver-major release that restricts file system access by default without other breaking changes. Advisories recommend upgrading immediately. Workarounds include sanitizing user-provided paths before passing them to jsPDF, or for recent Node.js versions (experimental in v20.0.0, stable since v22.13.0/v23.5.0/v24.0.0), using the --permission flag in production environments. Relevant resources include the security advisory at GHSA-f8cm-6447-x5h2, the v4.0.0 release notes, and the fixing commit a688c8f479929b24a6543b1fa2d6364abb03066d.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths…

more

to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Path traversal enables direct arbitrary local file read (T1005) including credential files (T1552.001) from the Node.js process context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24737Same product: Parall Jspdf
CVE-2026-31898Same product: Parall Jspdf
CVE-2026-31938Same product: Parall Jspdf
CVE-2026-25755Same product: Parall Jspdf
CVE-2026-25940Same product: Parall Jspdf
CVE-2025-29907Same product: Parall Jspdf
CVE-2026-25535Same product: Parall Jspdf
CVE-2026-33166Shared CWE-22
CVE-2026-23491Shared CWE-22
CVE-2026-4659Shared CWE-22

Affected Assets

parall
jspdf
≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation and sanitization of user-provided file paths before passing to jsPDF methods like loadFile, addImage, html, and addFont.

prevent

Requires timely remediation of the flaw by upgrading jsPDF to version 4.0.0, which restricts file system access by default and eliminates the vulnerability.

prevent

Enforces least privilege on the Node.js process, limiting accessible files (e.g., via Node.js --permission flag), thereby reducing the impact of successful path traversal.

References