Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
jspdf: Malicious GIFs Can Crash Your PDF Generator
CVE-2026-25535
GHSA-67pg-wm7f-q7fj
Summary
A malicious GIF image can crash the jspdf library, causing a denial of service. This can happen if you're not careful when adding images to a PDF. To fix this, update jspdf to version 4.2.0 or later, or sanitize any image data before using it in the library.
What to do
- Update mrjameshall jspdf to version 4.2.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mrjameshall | jspdf | <= 4.2.0 | 4.2.0 |
| parall | jspdf | <= 4.2.0 | – |
Original title
jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
Original description
### Impact
User control of the first argument of the `addImage` method results in denial of service.
If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.
Other affected methods are: `html`.
Example attack vector:
```js
import { jsPDF } from "jspdf"
// malicious GIF image data with large width/height headers
const payload = ...
const doc = new jsPDF();
doc.addImage(payload, "GIF", 0, 0, 100, 100);
```
### Patches
The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.
### Workarounds
Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
### References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
User control of the first argument of the `addImage` method results in denial of service.
If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.
Other affected methods are: `html`.
Example attack vector:
```js
import { jsPDF } from "jspdf"
// malicious GIF image data with large width/height headers
const payload = ...
const doc = new jsPDF();
doc.addImage(payload, "GIF", 0, 0, 100, 100);
```
### Patches
The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.
### Workarounds
Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
### References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-770
Allocation of Resources Without Limits
- https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e... Patch
- https://github.com/parallax/jsPDF/releases/tag/v4.2.0 Release Notes
- https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25535
- https://github.com/advisories/GHSA-67pg-wm7f-q7fj
- https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md Exploit Third Party Advisory
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026