User control of the first argument of the addImage method results in denial of service.
If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.
Other affected methods are: html.
Example attack vector:
import { jsPDF } from "jspdf"
// malicious GIF image data with large width/height headers
const payload = ...
const doc = new jsPDF();
doc.addImage(payload, "GIF", 0, 0, 100, 100);
The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.
Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
| Score | Percentile |
|---|---|
| 0.08% | 23.82% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-67pg-wm7f-q7fj ↗ |
| CVE | CVE-2026-25535 ↗ |
| CWE id | Name |
|---|---|
| CWE-770 | Allocation of Resources Without Limits or Throttling |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | jspdf | < 4.2.0 | 4.2.0 | — |