Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0.
Published: 2026-02-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability arises from the BMPDecoder in jsPDF, which accepts BMP image data supplied to the addImage or html methods without validating the width and height fields contained in the file header. When an attacker supplies a BMP file with extremely large dimensions, the decoder attempts to allocate a proportional amount of memory. This out‑of‑memory condition causes the library to crash or hang, leading to a denial of service against the process that is generating the PDF. The weakness maps to CWE‑770 (Memory Allocation) and CWE‑1285 (Insecure Baseline Configuration).

Affected Systems

Affected users are those running the open‑source jsPDF library bundled in JavaScript, specifically before version 4.1.0. The most recent fixed release is 4.1.0, and the vulnerability is tracked in the Parallax repo under commit ae4b93f. Any application that calls addImage with user‑supplied image data or allows external URLs in the html method, and that hosts jsPDF in a Node.js or browser environment, is within the risk scope.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is high severity. The EPSS score falls below 1 %, indicating that known exploit attempts are rare at present, and the issue is not listed in the CISA KEV catalog. Nevertheless, the lack of input validation presents a clear attack path: an adversary that can influence the data passed to addImage or the content rendered by html, such as an attacker‑controlled web form generating PDFs, can trigger the denial of service on the target system. The exploit does not require privileged access beyond the ability to inject the BMP image; once they deliver the crafted file, the process will exhaust memory.

Generated by OpenCVE AI on April 18, 2026 at 00:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsPDF to version 4.1.0 or later to apply the official fix.
  • If an upgrade is not immediately possible, validate BMP dimensions before calling addImage or the html method, rejecting files that would cause excessive memory allocation.
  • Restrict the addImage method to accept only pre‑sanitised image sources by removing the ability to pass arbitrary URLs or raw BMP data.
  • Monitor for abnormal memory usage or repeated PDF generation failures and block requests that exhibit such behavior.

Generated by OpenCVE AI on April 18, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-95fx-jjr5-f39c jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder
History

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0.
Title jsPDF Affected by Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T15:17:40.830Z

Reserved: 2026-01-21T18:38:22.474Z

Link: CVE-2026-24133

cve-icon Vulnrichment

Updated: 2026-02-03T15:17:35.742Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:08.123

Modified: 2026-02-18T14:41:29.463

Link: CVE-2026-24133

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-02T20:32:37Z

Links: CVE-2026-24133 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses