CVE-2025-68428
Published: 05 January 2026
Summary
CVE-2025-68428 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Parall Jspdf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary local file read (T1005) including credential files (T1552.001) from the Node.js process context.
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths…
more
to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
Deeper analysisAI
CVE-2025-68428 is a path traversal vulnerability (CWE-22, CWE-35, CWE-73) in the jsPDF JavaScript library for generating PDFs, affecting only the Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0. It arises from user-controlled input to the first argument of the loadFile method, as well as the addImage, html, and addFont methods, enabling local file inclusion. This allows retrieval of arbitrary file contents from the local file system where the Node.js process is running, with the contents embedded verbatim into generated PDFs.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely over a network by unauthenticated attackers with low complexity and no user interaction required. An attacker who can supply unsanitized paths to the affected methods—such as through a web application or server-side script using jsPDF—can read sensitive files like configuration data, credentials, or source code, leaking their contents via the output PDF.
Mitigation is addressed in jsPDF version 4.0.0, a semver-major release that restricts file system access by default without other breaking changes. Advisories recommend upgrading immediately. Workarounds include sanitizing user-provided paths before passing them to jsPDF, or for recent Node.js versions (experimental in v20.0.0, stable since v22.13.0/v23.5.0/v24.0.0), using the --permission flag in production environments. Relevant resources include the security advisory at GHSA-f8cm-6447-x5h2, the v4.0.0 release notes, and the fixing commit a688c8f479929b24a6543b1fa2d6364abb03066d.
Details
- CWE(s)