Critical jsPDF Exploit: Server Files Leaked via PDF Generation

Aegiron 10 mins0

Executive Summary

CVE-2025-68428 is a critical arbitrary file read vulnerability affecting the Node.js implementation of jsPDF. When user-controlled input is passed into jsPDF file-loading functions without validation, an attacker can force the application to read any file on the server filesystem that the Node.js process has access to. The file contents are then embedded into a generated PDF and returned to the attacker.

The attack is silent, requires no authentication in many cases, and leaves minimal traces unless proper logging is enabled.

Vulnerability Overview

  • CVE ID: CVE-2025-68428
  • Vulnerability Type: Arbitrary File Read via Path Traversal
  • Weakness Class: Improper Input Validation / Path Traversal
  • CVSS Score: 9.2 (Critical)
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Server-side (Node.js only)
  • Impact: Confidentiality compromise (high)

Affected Components

The vulnerability exists only in Node.js builds of jsPDF, not browser-only deployments.

Affected Versions

  • jsPDF versions up to and including 3.0.4
  • Node.js distributions:
    • jspdf.node.js
    • jspdf.node.min.js

Not Affected

  • Browser-only jsPDF usage
  • Applications that never pass user-controlled values into file-loading APIs

Root Cause Analysis

jsPDF includes helper functions that allow loading of external resources such as:

  • Images
  • Fonts
  • HTML templates
  • Binary files

In Node.js mode, these helpers rely directly on filesystem access. The core issue is that paths supplied to these functions are not sufficiently validated or restricted.

As a result, the following can be passed directly to jsPDF APIs and resolved against the host filesystem:

  • Relative paths (../)
  • Absolute paths (/etc/passwd, C:\Windows\System32\)
  • Encoded traversal sequences

Because jsPDF assumes the calling code is trusted, it does not enforce sandboxing or directory boundaries, leading to uncontrolled file reads.

Vulnerable Functions / Entry Points

The following functions are commonly involved in exploitation scenarios:

  • loadFile(path)
  • addImage(path, ...)
  • addFont(path, ...)
  • html(source, ...)

When these functions are used with user-supplied input, the vulnerability becomes exploitable.

Exploitation Scenario

A typical vulnerable workflow looks like this:

  1. A web application exposes an endpoint such as /generate-pdf
  2. The endpoint accepts parameters like:
    • Image name
    • Template name
    • Document type
  3. The backend passes this value directly to jsPDF
  4. jsPDF reads the referenced file from disk
  5. The generated PDF is returned to the requester

An attacker can manipulate the input so that, instead of loading an expected asset, jsPDF reads arbitrary system files, which are then embedded inside the PDF.

What Can Be Read by an Attacker

Depending on the permissions of the Node.js process, attackers may access:

  • /etc/passwd
  • .env files
  • Application configuration files
  • Database credentials
  • API keys
  • SSH keys
  • Cloud service tokens
  • Source code files

This vulnerability does not require authentication in many real-world deployments.

Proof of Concept (Educational Use Only)

The following example is conceptual and intended strictly for defensive understanding and education.

POST /generate-pdf
{
  "image": "../../../../../etc/passwd"
}

If this value is passed directly into addImage() or loadFile(), the contents of /etc/passwd are read and embedded into the generated PDF.

No exploit code is required beyond manipulating input values — this simplicity is why the severity is critical.

Exploit Availability

  • Public advisories and security write-ups clearly describe the exploitation pattern
  • Conceptual PoCs are publicly available
  • No complex exploit tooling is required
  • Attackers only need basic knowledge of filesystem structure

This significantly lowers the barrier to exploitation.

Detection & Monitoring Guidance

High-Risk Indicators

Look for the following signs in your environment:

  • PDF files containing unexpected plaintext data
  • PDFs larger than expected
  • Requests containing:
    • ../
    • %2e%2e
    • Absolute paths
  • Unusual filesystem reads by Node.js processes

Recommended Log Sources

To detect exploitation attempts, monitor:

Application Logs

  • Request payloads
  • PDF generation parameters
  • Error traces referencing jsPDF

Web Server / API Gateway Logs

  • Query strings
  • POST bodies
  • Suspicious path patterns

Host-Based Logs

  • File access auditing
  • Unexpected reads of sensitive files

WAF / Reverse Proxy Logs

  • Path traversal payloads
  • Encoded traversal attempts

Detection Patterns

Suspicious Input Indicators

  • ../
  • %2e%2e
  • /etc/
  • .env
  • .ssh
  • .pem

Behavioral Indicators

  • Node.js process accessing files outside application directories
  • PDF generation followed immediately by sensitive file reads

Rule Logic & Detection Engineering

1. Application-Level Rule Logic

Objective: Detect attempted exploitation via malicious input.

IF request.endpoint CONTAINS ("pdf", "generate", "export", "document")
AND request.parameters CONTAIN ANY (
  "../",
  "..\\",
  "%2e%2e",
  "/etc/",
  ".env",
  ".ssh",
  ".pem"
)
THEN alert "Possible jsPDF Arbitrary File Read Attempt"

2. WAF Rule Logic

Objective: Block traversal attempts before reaching jsPDF.

IF HTTP_METHOD IN ("POST", "PUT")
AND URL_PATH MATCHES ("pdf", "generate", "export")
AND REQUEST_BODY OR QUERY_STRING MATCHES traversal_patterns
THEN BLOCK OR ALERT

3. Host-Based Rule Logic (Critical)

Objective: Detect successful exploitation.

IF process.name == "node"
AND file.operation == "read"
AND file.path NOT IN allowed_application_directories
AND file.path MATCHES (
  "/etc/",
  "/proc/",
  ".env",
  ".ssh",
  ".pem"
)
THEN alert "Potential jsPDF Arbitrary File Read Exploitation"

4. Correlation Rule Logic

IF traversal_attempt_detected
FOLLOWED BY node_process_reads_sensitive_file
WITHIN 30 seconds

MITRE ATT&CK Mapping

  • T1083 – File and Directory Discovery
  • T1005 – Data from Local System
  • T1041 – Exfiltration Over Application Layer

Business Impact

If exploited, this vulnerability can lead to:

  • Exposure of secrets and credentials
  • Full application compromise
  • Cloud account takeover
  • Compliance violations (GDPR, SOC2, ISO)
  • Long-term persistence through leaked keys

Remediation & Mitigation

Immediate Action (Strongly Recommended)

Short-Term Mitigations (If Upgrade Is Delayed)

  • Strictly validate and sanitize all inputs passed to jsPDF
  • Disallow:
    • Absolute paths
    • Relative traversal (../)
  • Use allow-lists for permitted files
  • Never pass raw user input into file-loading APIs

Defense-in-Depth

  • Run Node.js with minimal filesystem permissions
  • Containerize services with read-only filesystems where possible
  • Separate secrets from application runtime directories

Risk Rating Summary

CategoryRating
LikelihoodHigh
ImpactVery High
Exploit DifficultyLow
Overall RiskCritical

Final Takeaway

This vulnerability is dangerous not because it is complex, but because it is simple and silent. Exploitation can occur with minimal effort and leaves little evidence unless explicit logging and rule logic are in place.

Any organization using jsPDF server-side should treat CVE-2025-68428 as urgent and confirm that:

  • jsPDF is updated
  • No untrusted input reaches file-loading functions
  • PDF generation workflows are actively monitored

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.