216.73.217.80

CVE-2026-25535

· Published 19/02/2026 15:16 · Modified 19/02/2026 15:52

Labels: CVE-2026-25535 2026-02-19CVE-2026-25535CWE-400[email protected]

Essential information

Published
19/02/2026 15:16
Modified
19/02/2026 15:52
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

NVD status

Status
Undergoing Analysis — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
parallax / jspdf cpe:2.3:a:parallax:jspdf:<4.2.0:*:*:*:*:*:*:*

References