jspdf 2.2.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the jspdf package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `addImage` and `html` methods when processing BMP image data with unvalidated dimensions. An attacker can cause excessive memory allocation and application unavailability by supplying a BMP file with large width or height values. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `jspdf` to version 4.1.0 or higher.	<4.1.0
L Race Condition jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Race Condition in the `addJS` function due to the use of a shared module-scoped variable for storing JavaScript content. An attacker can cause sensitive data intended for one user to be included in another user's PDF by making concurrent requests that exploit the shared state. Note: This is only exploitable when used in a concurrent environment, e.g., on a Node.js web server. How to fix Race Condition? Upgrade `jspdf` to version 4.1.0 or higher.	<4.1.0
M XML Injection jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to XML Injection via the `addMetadata` function. An attacker can compromise the integrity of generated PDF files by injecting arbitrary XML into the XMP metadata, potentially spoofing document authorship or other metadata fields. How to fix XML Injection? Upgrade `jspdf` to version 4.1.0 or higher.	<4.1.0
C External Control of File Name or Path jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to External Control of File Name or Path via the `loadFile`, `addImage`, `html` and `addFont` functions. An attacker can access and include arbitrary files from the local file system into generated PDFs. How to fix External Control of File Name or Path? Upgrade `jspdf` to version 4.0.0 or higher.	<4.0.0
H Allocation of Resources Without Limits or Throttling jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `addImage` or `html` methods. An attacker can cause excessive CPU utilization and application unresponsiveness by supplying malicious PNG image data or URLs. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `jspdf` to version 3.0.2 or higher.	<3.0.2
H Regular Expression Denial of Service (ReDoS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `addImage()`, `html()`, and `addSvgAsImage()` methods. An attacker can occupy excessive CPU by supplying a malicious data-url. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `jspdf` to version 3.0.1 or higher.	<3.0.1
M Regular Expression Denial of Service (ReDoS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). ReDoS is possible via the addImage function. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `jspdf` to version 2.3.1 or higher.	<2.3.1

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage and html methods when processing BMP image data with unvalidated dimensions. An attacker can cause excessive memory allocation and application unavailability by supplying a BMP file with large width or height values.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade jspdf to version 4.1.0 or higher.

<4.1.0

Race Condition

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Race Condition in the addJS function due to the use of a shared module-scoped variable for storing JavaScript content. An attacker can cause sensitive data intended for one user to be included in another user's PDF by making concurrent requests that exploit the shared state.

Note: This is only exploitable when used in a concurrent environment, e.g., on a Node.js web server.

How to fix Race Condition?

Upgrade jspdf to version 4.1.0 or higher.

<4.1.0

XML Injection

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to XML Injection via the addMetadata function. An attacker can compromise the integrity of generated PDF files by injecting arbitrary XML into the XMP metadata, potentially spoofing document authorship or other metadata fields.

How to fix XML Injection?

Upgrade jspdf to version 4.1.0 or higher.

<4.1.0

External Control of File Name or Path

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to External Control of File Name or Path via the loadFile, addImage, html and addFont functions. An attacker can access and include arbitrary files from the local file system into generated PDFs.

How to fix External Control of File Name or Path?

Upgrade jspdf to version 4.0.0 or higher.

<4.0.0

Allocation of Resources Without Limits or Throttling

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the addImage or html methods. An attacker can cause excessive CPU utilization and application unresponsiveness by supplying malicious PNG image data or URLs.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade jspdf to version 3.0.2 or higher.

<3.0.2

Regular Expression Denial of Service (ReDoS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the addImage(), html(), and addSvgAsImage() methods. An attacker can occupy excessive CPU by supplying a malicious data-url.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade jspdf to version 3.0.1 or higher.

<3.0.1

Regular Expression Denial of Service (ReDoS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). ReDoS is possible via the addImage function.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade jspdf to version 2.3.1 or higher.

<2.3.1

jspdf@2.2.0 vulnerabilities

PDF Document creation from JavaScript

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically