The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files.
The flaw is a local file inclusion and path traversal that allows passing unsanitized paths to the file loading mechanism (loadFile) in jsPDF versions before 4.0. It is tracked as CVE-2025-68428 and received a severity score of 9.2.
The jsPDF library is a widely adopted package with more than 3.5 million weekly downloads in the npm registry.
In jsPDF’s Node.js builds, the 'loadFile' function is used for reading the local filesystem. The problem arises when user-controlled input is passed as the file path, causing jsPDF to incorporate into the generated PDF output the content of the file.
Exploitation example
Source: Parallax
Other file loading methods are also affected, including 'addImage', 'html', and 'addFont', as all can call the loadFile function.
According to the jsPDF security bulletin, the issue only affects the Node.js builds of the library, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.
In a detailed technical report, application security company Endor Labs says that the exploitation risk is low or nonexistent if file paths are hardcoded, come from a trusted configuration, or strict allowlists are used for inputs.
CVE-2025-68428 was fixed in version 4.0.0 of jsPDF by restricting filesystem access by default and relying instead on Node.js permission mode.
... continue reading