jsPDF has Local File Inclusion/Path Traversal vulnerability

Severity:: High

Description

User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in.

Recommendation

Update the jspdf package to the latest compatible version. Followings are version details:

Affected version(s): <= 3.0.4
Patched version(s): 4.0.0

References

GHSA-f8cm-6447-x5h2
CVE-2025-68428
CWE-22
CWE-35
CWE-73
CAPEC-310
OWASP 2021-A1
OWASP 2021-A4
OWASP 2021-A6

Related Issues

React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
React Router has Path Traversal in File Session Storage - CVE-2025-61686
Gatsby develop server has Local File Inclusion vulnerability - CVE-2023-34238
liquidjs has a path traversal fallback vulnerability - CVE-2026-30952

Tags:: npm; jspdf

Anything's wrong? Let us know Last updated on January 16, 2026