jsPDF has Local File Inclusion/Path Traversal vulnerability

Severity:: High

Description

User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in.

Recommendation

Update the jspdf package to the latest compatible version. Followings are version details:

Affected version(s): <= 3.0.4
Patched version(s): 4.0.0

References

GHSA-f8cm-6447-x5h2
CVE-2025-68428
CWE-22
CWE-35
CWE-73
CAPEC-310
OWASP 2021-A1
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Cross-Site Scripting in sanitize-html (GHSA-xc6g-ggrc-qq4r) - CVE-2017-16016
jsPDF Denial of Service (DoS) - CVE-2025-57810
jsPDF Bypass Regular Expression Denial of Service (ReDoS) - CVE-2025-29907
JS Html Sanitizer allows XSS when used with contentEditable - CVE-2025-29771

Tags:: npm; jspdf

Anything's wrong? Let us know Last updated on January 16, 2026