Denial of Service in jsPDF Library Prior to Version 4.2.0
CVE-2026-25535

8.7HIGH

Key Information:

Vendor

Parallax

Status
JsPDF
Vendor
CVE Published:
19 February 2026

What is CVE-2026-25535?

The jsPDF library, widely used for generating PDFs in JavaScript, is susceptible to denial of service due to inadequate input handling in the addImage method. An attacker can exploit this vulnerability by supplying unsanitized image data or URLs, which may lead to memory exhaustion and application crashes. This occurs when harmful GIF files with excessively large dimensions are processed, resulting in significant memory allocation issues. To mitigate this risk, users should sanitize all image inputs prior to invoking the addImage or other affected methods. The vulnerability has been resolved in jsPDF version 4.2.0.

Affected Version(s)

jsPDF < 4.2.0

References

https://github.com/parallax/jsPDF/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7...
x_refsource_MISC
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-202...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.