Main Vulnerability Database Vulnerabilities #VU120930

Path traversal in jspdf - CVE-2025-68428

Published: January 5, 2026 / Updated: January 16, 2026

Vulnerability identifier: #VU120930

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2025-68428

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Jelle_S

Affected software:
jspdf

Detailed vulnerability description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via the first argument of the loadFile, addImage, html, and addFont methods in the node.js build in dist/jspdf.node.js and dist/jspdf.node.min.js files. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

How to mitigate CVE-2025-68428

Install updates from vendor's website.

Sources

https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2

Path traversal in jspdf - CVE-2025-68428

Detailed vulnerability description

How to mitigate CVE-2025-68428

Sources

Please verify you're human