CVE-2026-24133: jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder

February 2, 2026 (updated February 3, 2026)

User control of the first argument of the addImage method results in Denial of Service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf"

// malicious BMP image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "BMP", 0, 0, 100, 100);

References

Code Behaviors & Features

Detect and mitigate CVE-2026-24133 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →