jsPDF Denial of Service (DoS)

Severity:: High

Description

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: html.

Recommendation

Update the jspdf package to the latest compatible version. Followings are version details:

Affected version(s): <= 3.0.1
Patched version(s): 3.0.2

References

GHSA-8mvj-3j78-4qmw
CVE-2025-57810
CWE-20
CWE-835
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

jsPDF Bypass Regular Expression Denial of Service (ReDoS) - CVE-2025-29907
jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS) - CVE-2023-25653
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272

Tags:: npm; jspdf

Anything's wrong? Let us know Last updated on September 10, 2025