CVE-2026-24133 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the parallax jsPDF library versions prior to 4.1.0. jsPDF is a widely used JavaScript library for generating PDF documents client-side or server-side. The vulnerability arises from insufficient validation of the first argument passed to the addImage method and the html method, which can accept image data or URLs. Specifically, if an attacker can supply a malicious BMP image with extremely large width and/or height values in the header, the library attempts to allocate memory proportional to these dimensions without any upper limit or throttling. This leads to excessive memory consumption, causing out-of-memory errors and effectively denying service to legitimate users. The vulnerability does not require any privileges, authentication, or user interaction, and can be triggered remotely if the application processes untrusted image inputs. The issue was publicly disclosed and fixed in jsPDF version 4.1.0. No known exploits are currently reported in the wild, but the high CVSS score of 8.7 reflects the potential impact and ease of exploitation. The vulnerability primarily affects web applications and services that use vulnerable jsPDF versions to generate PDFs from user-supplied content, especially those that allow embedding images without proper sanitization or size validation.

For European organizations, this vulnerability poses a significant risk of denial of service attacks that can disrupt business operations, particularly for companies relying on jsPDF for PDF generation in customer-facing web applications, document management systems, or automated reporting tools. The DoS can lead to service outages, degraded user experience, and potential financial losses. Organizations in sectors such as finance, legal, government, and software development, which often generate PDFs dynamically, are particularly vulnerable. Additionally, the disruption could be exploited as a vector for more complex attacks by causing system instability or diverting attention from other malicious activities. Given the vulnerability requires no authentication or user interaction, it increases the attack surface, especially for public-facing applications. The lack of current known exploits provides a window for proactive mitigation before widespread exploitation occurs.

1. Upgrade all instances of jsPDF to version 4.1.0 or later immediately to ensure the vulnerability is patched. 2. Implement strict input validation and sanitization for all image data and URLs passed to the addImage and html methods, enforcing maximum allowed dimensions and rejecting suspicious BMP files. 3. Employ runtime monitoring and resource usage limits on services generating PDFs to detect and mitigate abnormal memory consumption patterns. 4. If upgrading is not immediately feasible, consider disabling or restricting functionality that accepts user-supplied images or HTML content for PDF generation. 5. Conduct code reviews and security testing focused on third-party library usage, especially for components handling untrusted inputs. 6. Educate developers about the risks of resource exhaustion vulnerabilities and best practices for secure PDF generation. 7. Monitor security advisories for any emerging exploits related to this vulnerability and apply patches promptly.