CVE-2026-25535

EUVD-2026-8095

19.02.2026, 15:16

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parall	jspdf	𝑥 < 4.2.0

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md

https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6

https://github.com/parallax/jsPDF/releases/tag/v4.2.0

https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj