Main Vulnerability Database Vulnerabilities #VU120930

#VU120930 Path traversal in jspdf - CVE-2025-68428

Published: January 5, 2026 / Updated: January 16, 2026

Vulnerability identifier: #VU120930

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2025-68428

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
jspdf

Software vendor:
Jelle_S

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via the first argument of the loadFile, addImage, html, and addFont methods in the node.js build in dist/jspdf.node.js and dist/jspdf.node.min.js files. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2

#VU120930 Path traversal in jspdf - CVE-2025-68428

Description

Remediation

External links

Please verify you're human