What happened
A critical jsPDF flaw allows attackers to exfiltrate sensitive information through manipulated PDF generation. The vulnerability exists in the Node.js builds of jsPDF versions prior to 4.0.0, where unsanitized file paths passed to functions like loadFile, addImage, html, and addFont can lead to local file inclusion and path traversal. This enables malicious actors to read arbitrary files from the server’s filesystem and embed their contents into generated PDFs, potentially exposing configuration files, credentials, and other sensitive data. According to application security company Endor Labs, exploitation risk depends on how jsPDF is used: it may be low or nonexistent if file paths are hardcoded, come from trusted configuration sources, or are validated against strict allowlists. They also note caveats in mitigation techniques such as Node.js permission flags, which affect the entire process and may be impractical without careful configuration.
Who is affected
Web applications using jsPDF, enterprise reporting tools, and end users opening generated PDFs face direct risk of data exposure.
Why CISOs should care
Vulnerable PDF generation can leak confidential information, enabling intellectual property theft and compliance violations.
3 practical actions
Update jsPDF libraries: Upgrade to the latest secure versions.
Sanitize input data: Validate all input used in PDF generation.
Limit PDF execution environments: Restrict automatic script execution in PDF readers where feasible.