CVE-2026-25535
Published: 19 February 2026
Summary
CVE-2026-25535 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Parall Jspdf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.
Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote exploitation of a resource exhaustion flaw (CWE-400/770) in jsPDF's addImage/html methods via malicious image input, directly enabling adversaries to crash the target application or browser through uncontrolled memory allocation. This maps precisely to T1499.004 (Application or System Exploitation) under the Impact tactic.
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the…
more
`addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
Deeper analysisAI
CVE-2026-25535 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 4.2.0. The vulnerability arises from user control over the first argument of the `addImage` method, as well as the `html` method, allowing unsanitized image data or URLs to trigger a denial of service. Specifically, a malicious GIF file with excessively large width and/or height values in its header causes uncontrolled memory allocation, leading to out-of-memory errors. This issue is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over a network with low complexity, requiring no privileges or user interaction. Any context where untrusted users or inputs can supply image data or URLs to the affected methods—such as web applications using jsPDF for dynamic PDF generation—is at risk. Successful exploitation results in denial of service through excessive memory consumption, potentially crashing the application or browser tab processing the PDF generation.
The jsPDF security advisory (GHSA-67pg-wm7f-q7fj) and release notes for version 4.2.0 confirm the fix via commit 2e5e156e284d92c7d134bce97e6418756941d5e6. As a mitigation, upgrade to jsPDF 4.2.0 or later. In the interim, sanitize all image data and URLs before passing them to `addImage` or `html` methods to prevent processing of malformed inputs.
Details
- CWE(s)