Skip to main content

Jspdf CVE-2026-25535

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-02-19 security-advisories@github.com GHSA-67pg-wm7f-q7fj
Denial Of Service Jspdf Red Hat
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:03 vuln.today
PoC Detected
Feb 23, 2026 - 19:13 vuln.today
Public exploit code
Patch released
Feb 23, 2026 - 19:13 nvd
Patch available
CVE Published
Feb 19, 2026 - 15:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on jspdf (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionGitHub Advisory

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: html. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

AnalysisAI

Denial of service in jsPDF prior to version 4.2.0 allows remote attackers to trigger out-of-memory conditions by supplying specially crafted GIF files with oversized dimension headers to the addImage or html methods. Public exploit code exists for this vulnerability, affecting applications that process untrusted image data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious GIF with large dimensions
Exploit
Upload or pass GIF to addImage method
Execution
Excessive memory allocation occurs
Impact
Application denial of service
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Application must accept unsanitized image data or URLs to jsPDF's addImage or html methods without input validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this flaw, denial of service.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications and dependencies using jsPDF and determine current version inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-25535 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy