CVE-2025-29907: jsPDF Bypass Regular Expression Denial of Service (ReDoS)

March 18, 2025 (updated March 19, 2025)

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: html, addSvgAsImage.

Example payload:

import { jsPDF } from "jpsdf"

References

github.com/advisories/GHSA-w532-jxjh-hjhj
github.com/parallax/jsPDF
github.com/parallax/jsPDF/commit/b167c43c27c466eb914b927885b06073708338df
github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj
nvd.nist.gov/vuln/detail/CVE-2025-29907

Code Behaviors & Features

Detect and mitigate CVE-2025-29907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →