If your application uses jsPDF to generate PDF files, there's a newly disclosed security issue you shouldn't ignore. A critical flaw in certain versions of the library makes it possible for attackers to quietly pull sensitive files from the server and embed them directly into generated PDFs.

What makes this issue especially concerning isn't just its severity score, but how widely jsPDF is used across modern JavaScript projects.

What Went Wrong Inside jsPDF

The vulnerability, tracked as CVE-2025-68428, stems from a local file inclusion and path traversal issue. In affected versions of jsPDF, unsanitised file paths can be passed to an internal file-loading mechanism called loadFile.

When this happens, jsPDF doesn't just reference the file—it reads its contents and includes them in the output PDF. If an attacker can control the file path input, they could potentially extract sensitive files from the local filesystem, such as configuration files, credentials, or environment secrets.

This flaw carries a high severity rating of 9.2, reflecting the damage it could cause if exploited in the right conditions.

Why This Matters So Much

jsPDF isn't a niche library. It's one of the most popular PDF generation tools in the JavaScript ecosystem, pulling in millions of downloads every week from the npm registry.

That widespread adoption means the vulnerability could exist in countless production systems, especially internal tools, reporting dashboards, and document-generation services that rely on server-side PDF creation.

Which Parts of jsPDF Are Affected

The issue specifically impacts jsPDF's Node.js builds, particularly the files distributed as jspdf.node.js and jspdf.node.min.js.

While loadFile is the core of the problem, it's not the only risk surface. Other commonly used functions—such as addImage, html, and addFont—can also end up calling loadFile internally. If user-controlled input flows into any of these paths without proper validation, the same exposure applies.

Browser-based jsPDF usage is not affected by this flaw, as it does not have direct access to the server filesystem.

How Realistic Is Exploitation?

According to analysis by application security firm Endor Labs, the actual risk depends heavily on how jsPDF is used. If file paths are hardcoded, sourced from trusted configuration files, or strictly restricted through allowlists, the exploitability drops significantly.

The danger rises when file paths are influenced by user input—directly or indirectly—without proper sanitisation. In those cases, the vulnerability becomes far more attractive to attackers.

Given jsPDF's broad footprint, researchers warn that CVE-2025-68428 is a strong candidate for active exploitation, especially in poorly secured backend services.

The Fix and Its Caveats

The vulnerability was addressed in jsPDF version 4.0.0. The fix works by restricting filesystem access by default and leaning on Node.js's permission model rather than unrestricted file reads.

However, there's a catch. Node's permission mode is still considered experimental in Node 20. Because of that, security researchers recommend running newer Node versions—specifically 22.13.0, 23.5.0, or 24.0.0 and later—for better reliability and protection.

Another workaround suggested by jsPDF maintainers involves launching Node with the --permission flag. While this can help, it applies globally to the entire Node.js process, not just jsPDF. That can introduce unexpected side effects in larger applications.

Endor Labs also warns that granting overly broad filesystem access using flags like --allow-fs-read can completely undermine the fix, effectively reopening the vulnerability.

What Developers Should Do Now

For teams running older Node versions or unable to upgrade immediately, the safest interim measure is to strictly sanitise and validate all file paths before passing them into jsPDF. No user-controlled path should ever reach file-loading functions unchecked.

Longer term, upgrading to jsPDF 4.0.0 and running it on a modern Node release is the most reliable way to mitigate the issue.

A Reminder About Dependency Risk

CVE-2025-68428 is another reminder that even well-established, widely trusted libraries can introduce serious security risks when assumptions change or edge cases are overlooked.

If your application generates PDFs on the server using jsPDF, now is the time to review your implementation. What looks like a simple document feature could otherwise become an unexpected data leak waiting to happen.