CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Critical Vulnerability Patched in jsPDF

The bug can allow attackers to read arbitrary files from the system, potentially exposing configurations and credentials. The post Critical Vulnerability Patched in jsPDF appeared first on SecurityWeek.

Development software vulnerability

A critical-severity vulnerability recently patched in the jsPDF library could allow attackers to read sensitive information, including configuration files and credentials, Endor Labs warns.

A popular NPM package with more than 3.5 million downloads per week, jsPDF supports the creation of PDF documents in JavaScript applications.

The flaw, tracked as CVE-2025-68428 (CVSS score of 9.2), is a local file inclusion/path traversal issue in the library’s loadFile method.

Because user-controlled input is passed as a file path argument, jsPDF reads the specified file and includes its content in the PDF output.

“If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs,” jsPDF’s maintainers explain in an advisory.

Public-facing methods that internally call loadFile and could be abused as attack vectors include addImage, html, and addFont.

Only the Node.js builds of jsPDF are impacted by the flaw, which was addressed in jsPDF version 4.0.0 by restricting file access by default.

According to Endor Labs, an attacker could exploit the vulnerability to disclose configuration files, credentials, environment variables, and the contents of any other file that the Node.js process can access.

“The library reads whatever file path is provided and embeds the raw content. Path traversal sequences allow reading files outside the intended directory scope. This becomes externally exploitable when a user-controlled value is passed to the first parameter within the impacted methods,” Endor Labs says.

To resolve the vulnerability, users should update to jsPDF version 4.0.0 and leverage Node’s permission flags to enforce access to specific files only.

“If you upgrade to jsPDF 4.0.0 but configure Node.js with broad read permissions to keep the application running, you remain vulnerable,” Endor Labs explains.

Related: Critical HPE OneView Vulnerability Exploited in Attacks

Related: Vulnerability in Totolink Range Extender Allows Device Takeover

Related: JumpCloud Remote Assist Vulnerability Can Expose Systems to Takeover

Related: Recent GeoServer Vulnerability Exploited in Attacks

Latest News

CYBERNEWSMEDIAPublisher