CVE-2026-24133 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) found in the parallax jsPDF library, a widely used JavaScript tool for generating PDF documents client-side. The flaw exists in versions prior to 4.1.0 within the addImage and html methods, which accept image data or URLs as input. An attacker can exploit this by providing a malicious BMP image file with header fields specifying extremely large width and/or height values. When jsPDF processes such an image, it attempts to allocate memory proportional to these dimensions without any limit or throttling, leading to excessive memory consumption. This results in out-of-memory errors that cause the application or service to crash or become unresponsive, effectively causing a denial of service (DoS). The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network if the application processes untrusted image inputs. The issue was publicly disclosed and assigned CVE-2026-24133 with a CVSS 4.0 base score of 8.7, indicating high severity. The fix was implemented in jsPDF version 4.1.0 by adding proper input validation and resource allocation limits to prevent memory exhaustion. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to any web applications or services that incorporate vulnerable jsPDF versions and accept user-supplied images for PDF generation.

For European organizations, the primary impact of this vulnerability is denial of service, which can disrupt business operations, degrade user experience, and potentially cause downtime in web applications or services that generate PDFs from user-supplied images. Organizations in sectors such as finance, government, healthcare, and e-commerce that rely on jsPDF for document generation may face service interruptions or reputational damage if exploited. Since the vulnerability does not require authentication or user interaction, it can be triggered remotely by attackers submitting crafted BMP images, increasing the risk of automated or large-scale attacks. Additionally, denial of service conditions could be leveraged as part of multi-stage attacks to distract or exhaust incident response resources. The vulnerability does not directly lead to data breaches or code execution but impacts availability, a critical security dimension under GDPR and other European data protection regulations. Organizations may also face compliance risks if service disruptions affect critical customer-facing or internal systems.

The most effective mitigation is to upgrade all instances of jsPDF to version 4.1.0 or later, where the vulnerability is fixed. Organizations should audit their codebases and dependencies to identify and update vulnerable jsPDF versions promptly. Additionally, implement strict input validation and sanitization for all image data and URLs accepted by the addImage and html methods to reject suspicious or malformed BMP files with abnormally large dimensions. Employ application-layer rate limiting and resource usage monitoring to detect and block abnormal memory consumption patterns. Consider sandboxing or isolating PDF generation processes to contain potential denial of service impacts. Regularly monitor vulnerability advisories and maintain an inventory of third-party libraries to ensure timely patching. For web-facing applications, use web application firewalls (WAFs) with custom rules to detect and block malicious image payloads targeting this vulnerability. Finally, conduct security testing and fuzzing focused on image processing components to uncover similar resource exhaustion issues.