CVE-2025-68428
Published: 05 January 2026
Summary
CVE-2025-68428 is a critical-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Parall Jspdf. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 33.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68428 is a path traversal vulnerability (CWE-22, CWE-35, CWE-73) in the jsPDF JavaScript library for generating PDFs, affecting only the Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0. It arises from user-controlled input to the first argument of the loadFile method, as well as the addImage, html, and addFont methods, enabling local file inclusion. This allows retrieval of arbitrary file contents from the local file system where the Node.js process is running, with the contents embedded verbatim into generated PDFs.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely over a network by unauthenticated attackers with low complexity and no user interaction required. An attacker who can supply unsanitized paths to the affected methods—such as through a web application or server-side script using jsPDF—can read sensitive files like configuration data, credentials, or source code, leaking their contents via the output PDF.
Mitigation is addressed in jsPDF version 4.0.0, a semver-major release that restricts file system access by default without other breaking changes. Advisories recommend upgrading immediately. Workarounds include sanitizing user-provided paths before passing them to jsPDF, or for recent Node.js versions (experimental in v20.0.0, stable since v22.13.0/v23.5.0/v24.0.0), using the --permission flag in production environments. Relevant resources include the security advisory at GHSA-f8cm-6447-x5h2, the v4.0.0 release notes, and the fixing commit a688c8f479929b24a6543b1fa2d6364abb03066d.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0847
Vulnerability details
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths…
more
to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary local file read (T1005) including credential files (T1552.001) from the Node.js process context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates path traversal by requiring validation and sanitization of user-provided file paths before passing to jsPDF methods like loadFile, addImage, html, and addFont.
Requires timely remediation of the flaw by upgrading jsPDF to version 4.0.0, which restricts file system access by default and eliminates the vulnerability.
Enforces least privilege on the Node.js process, limiting accessible files (e.g., via Node.js --permission flag), thereby reducing the impact of successful path traversal.