CVE-2026-25535: jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
User control of the first argument of the addImage method results in denial of service.
If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.
Other affected methods are: html.
Example attack vector:
import { jsPDF } from "jspdf"
// malicious GIF image data with large width/height headers
const payload = ...
const doc = new jsPDF();
doc.addImage(payload, "GIF", 0, 0, 100, 100);
References
- github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
- github.com/advisories/GHSA-67pg-wm7f-q7fj
- github.com/parallax/jsPDF
- github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6
- github.com/parallax/jsPDF/releases/tag/v4.2.0
- github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj
- nvd.nist.gov/vuln/detail/CVE-2026-25535
Code Behaviors & Features
Detect and mitigate CVE-2026-25535 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →