Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
Published: 2026-02-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

jsPDF is a JavaScript library for generating PDFs. This vulnerability involves the misuse of width and height values in GIF headers when they are passed to the addImage method. An attacker can supply a malicious GIF with unusually large dimensions, causing jsPDF to attempt excessive memory allocation that eventually exhausts the process memory and stops the application. The result is a denial of service that compromises application availability. The weakness is categorized as CWE‑400 (Resource Exhaustion) and CWE‑770 (Out‑of‑Bound Resource Access).

Affected Systems

The affected product is jsPDF, developed by parallax. All releases prior to version 4.2.0 are vulnerable. The vulnerability affects the addImage and html methods and applies to both client‑side and server‑side JavaScript deployments. If an application accepts user‑supplied image URLs or data that is passed to these methods, it is exposed to this denial‑of‑service condition.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score is below 1 %, indicating a very low but non‑zero probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. An attacker needs the ability to supply image data or URLs to addImage or html, which is often allowed in web applications that process user content; no elevated privileges or authentication are required. The vendor’s commit history shows the issue was fixed in version 4.2.0, but until an upgrade or mitigation is applied, user‑controlled images can trigger memory exhaustion remotely.

Generated by OpenCVE AI on April 17, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsPDF to version 4.2.0 or later to apply the official patch.
  • Sanitize or validate all image data before passing it to addImage or html, and enforce reasonable limits on width and height values.
  • Remove or restrict the use of user‑supplied image URLs or data in the application until the library is updated or the input is properly validated.

Generated by OpenCVE AI on April 17, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67pg-wm7f-q7fj jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
History

Mon, 23 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Fri, 20 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Thu, 19 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
Title jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
Weaknesses CWE-400
CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T16:03:26.484Z

Reserved: 2026-02-02T19:59:47.374Z

Link: CVE-2026-25535

cve-icon Vulnrichment

Updated: 2026-02-19T16:03:09.356Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T15:16:12.130

Modified: 2026-02-23T19:13:18.717

Link: CVE-2026-25535

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-19T14:34:05Z

Links: CVE-2026-25535 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses