January 7, 2026 By Bill Toulas
The jsPDF library for generating PDF documents in JavaScript applications is vulnerable to a critical vulnerability that allows an attacker to steal sensitive data from the local filesystem by including it in generated files.
The flaw is a local file inclusion and path traversal that allows passing unsanitized paths to the file loading mechanism (loadFile) in jsPDF versions before 4.0. It is tracked as CVE-2025-68428 and received a severity score of 9.2.
The jsPDF library is a widely adopted package with more than 3.5 million weekly downloads in the npm registry.
In jsPDF’s Node.js builds, the 'loadFile' function is used for reading the local filesystem. The problem arises when user-controlled input is passed as the file path, causing jsPDF to incorporate into the generated PDF output the content of the file.