CVE-2025-29907 HIGH

CVE-2025-29907: jsPDF Bypass Regular Expression Denial of Service (ReDoS)

Vendor Parallax
Product jsPDF
Weakness CWE-400
Published March 18, 2025
Last update March 18, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are html and addSvgAsImage. The vulnerability was fixed in jsPDF 3.0.1.

Key dates

02Disclosure timeline

March 18, 2025 CVE published
March 18, 2025 Record updated