jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
- Severity:
- High
Description
User control of the first argument of the addImage method results in denial of service.
If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service.
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.2.0
- Patched version(s): 4.2.0
References
Related Issues
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
- Seroval affected by Denial of Service via Array serialization - CVE-2026-23957
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on February 19, 2026