Ethical Hacking News
A critical flaw in the jsPDF library has been discovered, allowing hackers to steal sensitive data from local file systems by including it in generated PDF files. This vulnerability affects versions of the library prior to version 4.0 and has a severity score of 9.2.
jsPDF has a local file inclusion vulnerability allowing hackers to steal sensitive data from local file systems. The vulnerability, CVE-2025-68428, affects versions prior to version 4.0 and can be exploited by passing unsanitized paths to the 'loadFile' function. Users are advised to update to version 4.0.0 or later, as it restricts filesystem access by default. Precutions such as hardcoding file paths or using strict allowlists can mitigate the risk of exploitation.
A recent vulnerability in the widely used JavaScript library jsPDF has been discovered, allowing hackers to steal sensitive data from local file systems by including it in generated PDF files. This critical flaw, tracked as CVE-2025-68428, received a severity score of 9.2 and affects versions of the library prior to version 4.0.
The jsPDF library is a popular choice for generating PDF documents in JavaScript applications, with over 3.5 million weekly downloads on npm. However, its Node.js builds contain a local file inclusion vulnerability that can be exploited by passing unsanitized paths to the 'loadFile' function. This can cause jsPDF to incorporate sensitive data from the local file system into generated PDF files.
The problem arises when user-controlled input is passed as the file path, allowing an attacker to inject malicious code or access sensitive data on the local filesystem. Other file loading methods, such as 'addImage', 'html', and 'addFont', are also affected by this vulnerability.
According to Endor Labs, a security company that analyzed the issue, the exploitation risk is low or nonexistent if file paths are hardcoded, come from a trusted configuration, or strict allowlists are used for inputs. However, this may not be feasible in all cases, and users should take precautions to mitigate the risk.
The vulnerability was fixed in version 4.0.0 of jsPDF by restricting filesystem access by default and relying on Node.js permission mode. Versions 22.13.0, 23.5.0, or 24.0.0 and later are recommended for users who want to take advantage of the fix.
Another workaround suggested by the developers is enabling the '--permission' flag, which affects the entire Node.js process. However, this may not be desirable for all users, as it can have unintended consequences.
Endor Labs also notes that overly broad filesystem permissions added to the '--allow-fs-read' configuration flag negate the fix and should be avoided.
Given the broad deployment of jsPDF on numerous projects, CVE-2025-68428 is a good candidate for active exploitation. Users who use this library in their applications are advised to take immediate action to mitigate the risk.
The article highlights the importance of keeping software libraries up-to-date and following best practices for secure coding. It also serves as a reminder that even seemingly minor vulnerabilities can have significant consequences if not addressed promptly.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-jsPDF-Flaw-Exposed-Hackers-Can-Steal-Secrets-Via-Generated-PDFs-ehn.shtml
https://www.bleepingcomputer.com/news/security/critical-jspdf-flaw-lets-hackers-steal-secrets-via-generated-pdfs/
https://cvereports.com/reports/CVE-2025-68428
https://nvd.nist.gov/vuln/detail/CVE-2025-68428
https://www.cvedetails.com/cve/CVE-2025-68428/
Published: Wed Jan 7 15:53:23 2026 by llama3.2 3B Q4_K_M
