The vulnerability identified as CVE-2025-68428 affects the jsPDF library, a popular JavaScript tool used to generate PDFs. Specifically, the Node.js builds of jsPDF (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0 allow user-controlled input to the loadFile method and other methods like addImage, html, and addFont without proper sanitization. This flaw enables path traversal attacks (CWE-35) and local file inclusion (CWE-73), whereby an attacker can manipulate the file path argument to access arbitrary files on the server's filesystem. The contents of these files are then embedded directly into generated PDFs, potentially leaking sensitive information. The vulnerability is remotely exploitable without authentication or user interaction, with a CVSS 4.0 score of 9.2 indicating critical severity. The root cause lies in insufficient validation of file paths, allowing sequences like '.../...//' to traverse directories. The issue was addressed in jsPDF 4.0.0 by restricting filesystem access by default and recommending the use of Node.js's --permission flag in production environments to limit file access. For older Node.js versions, manual sanitization of user inputs is advised. No known exploits are currently reported in the wild, but the high severity and ease of exploitation make this a significant threat for applications using vulnerable jsPDF versions in Node.js contexts.

For European organizations, this vulnerability poses a serious risk of unauthorized disclosure of sensitive local files, including configuration files, credentials, or proprietary data, if they use vulnerable jsPDF versions in their Node.js applications. The ability to include arbitrary file contents in generated PDFs can lead to data breaches, intellectual property theft, and compliance violations under GDPR and other data protection regulations. Since exploitation requires no authentication or user interaction, attackers can remotely target exposed services or APIs that utilize jsPDF's vulnerable methods. This could impact sectors with heavy use of PDF generation in backend services, such as finance, healthcare, government, and software development. The compromise of internal files could also facilitate further attacks, such as privilege escalation or lateral movement within networks. The critical severity and network attack vector underline the urgency for European entities to remediate swiftly to avoid reputational damage and regulatory penalties.

European organizations should immediately upgrade all Node.js applications using jsPDF to version 4.0.0 or later, which enforces filesystem access restrictions by default. Where upgrading is not immediately feasible, developers must implement rigorous sanitization of all user-supplied file path inputs to prevent path traversal sequences. Employing Node.js's --permission flag (available since Node v20.0.0 and stable in v22.13.0+) in production environments can further restrict file system access and reduce risk. Additionally, organizations should audit their codebases and dependencies to identify any usage of vulnerable jsPDF versions and isolate or restrict access to affected services. Implementing runtime application self-protection (RASP) or file integrity monitoring can help detect exploitation attempts. Finally, monitoring logs for suspicious file access patterns and educating developers about secure file handling practices will strengthen defenses against similar vulnerabilities.