Local File Inclusion Vulnerability in jsPDF Library by Parallax
CVE-2025-68428

9.2CRITICAL

Key Information:

Vendor

Parallax

Status
JsPDF
Vendor
CVE Published:
5 January 2026

Badges

πŸ“ˆ Score: 124πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-68428?

CVE-2025-68428 is a local file inclusion vulnerability found in the jsPDF library developed by Parallax. This JavaScript library enables developers to generate PDF documents directly in client-side applications. The vulnerability arises specifically in the node.js implementation of the library, where user input is not adequately sanitized in the loadFile method's first argument. This oversight allows attackers to potentially execute path traversal attacks, enabling them to access arbitrary files on the local file system where the node process is running. Consequently, sensitive file contents could be extracted and included unaltered in the generated PDFs, posing significant risks to confidentiality and data security within an organization. As this vulnerability is present in versions prior to 4.0.0, organizations utilizing affected versions without updating could be exposed to critical risks.

Potential impact of CVE-2025-68428

  1. Data Exposure: Attackers can exploit this vulnerability to access and extract sensitive files from the local file system. This could include confidential documents, credentials, or other critical data, significantly compromising data integrity and privacy.

  2. Malicious Document Generation: The vulnerability allows unauthorized data to be included in PDFs generated by the library. This could lead to the distribution of malicious documents containing sensitive information, which may facilitate further attacks or social engineering tactics.

  3. Reputation Damage and Compliance Issues: An organization affected by this vulnerability may face reputational harm if sensitive data is leaked, leading to a loss of customer trust. Furthermore, the exposure of sensitive information could result in non-compliance with regulatory frameworks, leading to legal consequences and financial penalties.

Affected Version(s)

jsPDF < 4.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-68428_PoC
Created by 12nio

News Articles

favicon imageSecurityWeek

Critical Vulnerability Patched in jsPDF

A jsPDF vulnerability tracked as CVE-2025-68428 could allow attackers to read arbitrary files, exposing configurations and credentials.

4 days ago

favicon imagecsoonline.com

Critical jsPDF vulnerability enables arbitrary file read in Node.js deployments

The path traversal bug allows attackers to include arbitrary filesystem content in generated PDFs when file paths are not properly validated.

4 days ago

favicon imageSecurityWeek

Critical Vulnerability Patched in jsPDF

A jsPDF vulnerability tracked as CVE-2025-68428 could allow attackers to read arbitrary files, exposing configurations and credentials.

4 days ago

References

https://github.com/parallax/jsPDF/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/a688c8f479929b24...
x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.0.0
x_refsource_MISC

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by Cyber Press

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68428 : Local File Inclusion Vulnerability in jsPDF Library by Parallax