CVE-2026-25535 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the parallax jsPDF JavaScript library used for generating PDFs. Prior to version 4.2.0, the addImage method accepts user-controlled input as its first argument, which can be exploited by attackers to supply malicious GIF files with artificially inflated width and height header values. These oversized dimensions cause the library to allocate excessive amounts of memory during image processing, leading to out-of-memory conditions and denial of service (DoS). The vulnerability extends to other methods such as html that also process image data. Exploitation requires no privileges, authentication, or user interaction, and can be triggered remotely by passing crafted image data or URLs. The issue was publicly disclosed and fixed in version 4.2.0 of jsPDF. No known exploits have been reported in the wild yet. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability with no impact on confidentiality or integrity.

This vulnerability poses a significant risk to any web application or service that uses vulnerable versions of jsPDF to generate PDFs from user-supplied content, especially where image data or URLs are accepted without proper sanitization. An attacker can remotely trigger a denial of service by causing the application to exhaust server memory resources, potentially crashing the service or severely degrading performance. This can disrupt business operations, lead to downtime, and impact user experience. Since jsPDF is widely used in web applications globally, the scope of affected systems is broad. The lack of authentication or user interaction requirements makes exploitation straightforward. While confidentiality and integrity are not directly impacted, availability degradation can have cascading effects on dependent systems and services. Organizations relying on jsPDF for PDF generation in client-side or server-side environments should consider this a high-priority issue.

The primary mitigation is to upgrade all instances of jsPDF to version 4.2.0 or later, where this vulnerability has been fixed. If immediate upgrade is not feasible, organizations should implement strict sanitization and validation of all image data and URLs passed to the addImage and html methods to ensure that image dimensions are within safe bounds and that malicious GIF files cannot be processed. Employing input validation libraries or custom checks to reject images with suspiciously large width or height values is critical. Additionally, implementing resource usage limits and timeouts on PDF generation processes can help contain potential denial of service attempts. Monitoring application logs for abnormal memory usage or crashes related to PDF generation can provide early detection. Finally, consider isolating PDF generation in sandboxed environments to limit impact on core services.