CVE CyberSecurity Database News

CVE-2025-29907 - High CPU DoS Vulnerability in jsPDF via Image Data URLs

Poster -

jsPDF is a popular JavaScript library for generating PDF files in the browser and server-side JavaScript environments like Node.js. It's widely used in web applications, dashboards, and reporting tools because it allows easy PDF document creation and manipulation.

But recently, the jsPDF library had a severe security vulnerability (CVE-2025-29907) that puts many apps at risk of Denial of Service (DoS). In this post, we’ll break down how the issue works, show code snippets, discuss the fix, and explain how to secure your apps.

What’s the Problem? (CVE-2025-29907 Explained)

Before version 3..1, jsPDF’s addImage() method did not sanitize its input properly. If a user supplied a malicious or overly complex data URL as the image source, jsPDF would attempt to process this without limitation. The result? The CPU usage would spike, often to 100%, making the browser—or even the backend server—lock up. This effectively creates a Denial of Service (DoS) attack vector.

Other similar methods, like html() and addSvgAsImage(), were also affected.

In Short: If you let users upload or insert images, and pass that input straight to jsPDF, your app could become unresponsive.

Code Example: How Does the Attack Work?

Suppose you’re building an app that lets users make PDF certificates. You want users to add their photos—so you take the image URL they give and use jsPDF’s addImage() function.

Here’s a simplified (vulnerable) code snippet

import jsPDF from "jspdf";

// USER_INPUT can be any string provided by a site visitor!
const USER_INPUT = prompt("Enter your image data-url");

// You pass user input as the first argument
const doc = new jsPDF();
doc.addImage(USER_INPUT, "PNG", 10, 10, 50, 50); // NO Sanitization!

doc.save("output.pdf");

If the attacker enters a gigantic or deeply nested data URL (for example, one that encodes megabytes of data, tons of SVG filters, etc.), jsPDF will chew through CPU trying to decode and process it. This can freeze the browser tab or cause high resource consumption on a server.

What’s worse: Since there are no restrictions, attackers could automate several requests and take down key parts of your app.

Here is an example of what an attacker might use

// Example: Creating a huge data URL
let longString = 'A'.repeat(10_000_000); // 10 MB
let maliciousDataUrl = data:image/png;base64,${btoa(longString)};

// This will hang the browser for seconds (or more)
doc.addImage(maliciousDataUrl, "PNG", 10, 10, 50, 50);

Attackers can get even more creative with SVGs (using recursive or CPU-hungry filters) or malformed PNG headers.

Other Affected Methods

- html(): Converts HTML to image, then adds to PDF. User-controlled HTML could embed huge or malicious images.

For technical details and patches

- jsPDF GitHub Security Advisory
- jsPDF Release Notes
- NPM Advisory Page (if available)

How Was It Fixed?

The vulnerability is fixed in jsPDF version 3..1. The maintainers added proper input checks and restricted how images are processed, ensuring oversized or non-standard data URLs do not hog CPU.

If you use jsPDF, update to version 3..1 or later immediately

npm install jspdf@latest

2. Sanitize User Input

Never let raw user input go directly into addImage() and similar methods. Instead, limit acceptable file types and sizes before creating data URLs.

3. Set Reasonable Limits

On the backend or frontend, reject images or SVGs that are too large or too complex.

4. Audit for Indirect Use

Check whether third-party plugins or modules in your stack use jsPDF and update them as well.

What’s Affected: jsPDF < 3..1 (npm package)

- Vulnerability: CPU utilization spike and Denial of Service via unsanitized image data URLs passed to addImage(), html(), addSvgAsImage()

Fix: Upgrade jsPDF to 3..1 or newer

- Mitigation: Validate and sanitize all image inputs, set size/complexity limits

Final Thoughts

Libraries like jsPDF are amazing—but always use the latest versions, and never trust user input blindly, especially with features that may stress the server or browser’s resources. This is a prime example of how a seemingly harmless API can be weaponized.

For more on jsPDF and ongoing updates, visit the official GitHub repo.

Stay safe, keep your dependencies up to date, and always sanitize user input!

Timeline

Published on: 03/18/2025 19:15:51 UTC