CVE-2026-25535
Published: 19 February 2026
Summary
CVE-2026-25535 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Parall Jspdf. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25535 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 4.2.0. The vulnerability arises from user control over the first argument of the `addImage` method, as well as the `html` method, allowing unsanitized image data or URLs to trigger a denial of service. Specifically, a malicious GIF file with excessively large width and/or height values in its header causes uncontrolled memory allocation, leading to out-of-memory errors. This issue is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over a network with low complexity, requiring no privileges or user interaction. Any context where untrusted users or inputs can supply image data or URLs to the affected methods—such as web applications using jsPDF for dynamic PDF generation—is at risk. Successful exploitation results in denial of service through excessive memory consumption, potentially crashing the application or browser tab processing the PDF generation.
The jsPDF security advisory (GHSA-67pg-wm7f-q7fj) and release notes for version 4.2.0 confirm the fix via commit 2e5e156e284d92c7d134bce97e6418756941d5e6. As a mitigation, upgrade to jsPDF 4.2.0 or later. In the interim, sanitize all image data and URLs before passing them to `addImage` or `html` methods to prevent processing of malformed inputs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8095
Vulnerability details
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the…
more
`addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote exploitation of a resource exhaustion flaw (CWE-400/770) in jsPDF's addImage/html methods via malicious image input, directly enabling adversaries to crash the target application or browser through uncontrolled memory allocation. This maps precisely to T1499.004 (Application or System Exploitation) under the Impact tactic.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the vulnerability by requiring identification, reporting, and correction of the flaw in jsPDF through upgrade to version 4.2.0 or later.
Requires validation of user-supplied image data and URLs prior to passing to addImage or html methods, preventing processing of malicious GIFs with excessive width/height values.
Protects against denial-of-service events like the out-of-memory condition triggered by uncontrolled resource consumption from malformed image inputs.