Cyber Resilience

CVE-2026-25535

HighPublic PoCDDoSUpdated

Published: 19 February 2026

Published
19 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25535 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Parall Jspdf. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25535 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 4.2.0. The vulnerability arises from user control over the first argument of the `addImage` method, as well as the `html` method, allowing unsanitized image data or URLs to trigger a denial of service. Specifically, a malicious GIF file with excessively large width and/or height values in its header causes uncontrolled memory allocation, leading to out-of-memory errors. This issue is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over a network with low complexity, requiring no privileges or user interaction. Any context where untrusted users or inputs can supply image data or URLs to the affected methods—such as web applications using jsPDF for dynamic PDF generation—is at risk. Successful exploitation results in denial of service through excessive memory consumption, potentially crashing the application or browser tab processing the PDF generation.

The jsPDF security advisory (GHSA-67pg-wm7f-q7fj) and release notes for version 4.2.0 confirm the fix via commit 2e5e156e284d92c7d134bce97e6418756941d5e6. As a mitigation, upgrade to jsPDF 4.2.0 or later. In the interim, sanitize all image data and URLs before passing them to `addImage` or `html` methods to prevent processing of malformed inputs.

EU & UK References

Vulnerability details

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the…

more

`addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote exploitation of a resource exhaustion flaw (CWE-400/770) in jsPDF's addImage/html methods via malicious image input, directly enabling adversaries to crash the target application or browser through uncontrolled memory allocation. This maps precisely to T1499.004 (Application or System Exploitation) under the Impact tactic.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29907Same product: Parall Jspdf
CVE-2026-24737Same product: Parall Jspdf
CVE-2026-31898Same product: Parall Jspdf
CVE-2026-31938Same product: Parall Jspdf
CVE-2026-25755Same product: Parall Jspdf
CVE-2026-25940Same product: Parall Jspdf
CVE-2025-68428Same product: Parall Jspdf
CVE-2026-41309Shared CWE-400, CWE-770
CVE-2026-44240Shared CWE-400, CWE-770
CVE-2026-22815Shared CWE-400, CWE-770

Affected Assets

parall
jspdf
≤ 4.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerability by requiring identification, reporting, and correction of the flaw in jsPDF through upgrade to version 4.2.0 or later.

prevent

Requires validation of user-supplied image data and URLs prior to passing to addImage or html methods, preventing processing of malicious GIFs with excessive width/height values.

prevent

Protects against denial-of-service events like the out-of-memory condition triggered by uncontrolled resource consumption from malformed image inputs.

References