jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
- Severity:
- High
Description
User control of the first argument of the addImage method results in denial of service.
If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service.
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.2.0
- Patched version(s): 4.2.0
References
Related Issues
- Parse Server: Pre-authentication denial of service via client version header regex backtracking - CVE-2026-47138
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
You might also like:
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on February 19, 2026