The vulnerability identified as CVE-2025-68428 affects the jsPDF library, specifically its node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0. jsPDF is widely used to generate PDF documents in JavaScript environments. The flaw arises because the loadFile method, along with addImage, html, and addFont methods, accepts a file path as its first argument without proper sanitization. This allows an attacker to perform path traversal attacks by injecting sequences like '.../...//' to navigate the filesystem arbitrarily. Consequently, an attacker can cause the node.js process to read and embed contents of arbitrary local files into generated PDFs. Since these methods are used server-side, this can lead to local file inclusion (LFI) vulnerabilities, exposing sensitive files such as configuration files, credentials, or source code. The vulnerability requires no privileges or user interaction, making it trivially exploitable remotely if untrusted input is passed to these methods. The issue was addressed in jsPDF version 4.0.0 by restricting filesystem access by default. Additionally, modern node.js versions support the --permission flag to limit filesystem access, which jsPDF recommends using in production. For environments running older node.js versions, sanitizing user input paths before passing them to jsPDF is critical. No known exploits are currently reported in the wild, but the high CVSS score (9.2) underscores the severity and potential impact of this vulnerability.

For European organizations, this vulnerability poses a significant risk to confidentiality and data integrity. Organizations that generate PDFs server-side using vulnerable jsPDF versions and accept user-supplied input for file paths are at risk of arbitrary local file disclosure. This can lead to leakage of sensitive internal documents, credentials, or intellectual property. Attackers could leverage this to escalate attacks, pivot within networks, or conduct espionage. The vulnerability does not directly affect availability but can severely compromise trust and compliance, especially under GDPR and other data protection regulations. Industries such as finance, healthcare, government, and technology sectors in Europe that rely on jsPDF in their backend systems are particularly vulnerable. The ease of exploitation without authentication or user interaction increases the threat level. Failure to patch or mitigate could result in regulatory penalties, reputational damage, and operational disruptions.

1. Upgrade all jsPDF node.js builds to version 4.0.0 or later immediately to benefit from built-in filesystem access restrictions. 2. For environments where upgrading is not immediately possible, implement strict sanitization of all user-supplied file path inputs before passing them to jsPDF methods like loadFile, addImage, html, and addFont. 3. Utilize modern node.js versions (v20.0.0 and above) and enforce the --permission flag to restrict filesystem access in production environments. 4. Conduct code audits to identify any usage of vulnerable jsPDF methods with user-controlled inputs. 5. Employ runtime monitoring and file integrity checks to detect unusual file access patterns by node.js processes. 6. Isolate PDF generation services in restricted containers or sandboxes to limit filesystem exposure. 7. Educate development teams about secure handling of file paths and the risks of path traversal. 8. Review and update incident response plans to include scenarios involving local file inclusion vulnerabilities.