Skip to content
This repository was archived by the owner on Nov 18, 2025. It is now read-only.

Update dependency jspdf to v3.0.2 [SECURITY] #201

Open
renovate wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency jspdf to v3.0.2 [SECURITY] #201

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 9, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
jspdf 3.0.1 -> 3.0.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-57810

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: html.

Example payload:

import { jsPDF } from "jspdf" 

const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154])

const doc = new jsPDF();
const startTime = performance.now();
try {
  doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} finally {
  const endTime = performance.now();
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`);
}

Patches

The vulnerability was fixed in jsPDF 3.0.2. Upgrade to jspdf@>=3.0.2.

In jspdf@>=3.0.2, invalid PNG files throw an Error instead of causing very long running loops.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

Release Notes

parallax/jsPDF (jspdf)

v3.0.2

Compare Source

This release fixes a security issue where parsing of corrupt PNG images could lead to long running loops and denial of service.

What's Changed

New Contributors

Full Changelog: parallax/jsPDF@v3.0.1...v3.0.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-jspdf-vulnerability branch from fb1c77a to dc24059 Compare September 25, 2025 17:59
@renovate renovate bot force-pushed the renovate/npm-jspdf-vulnerability branch from dc24059 to 5cce58a Compare October 8, 2025 12:47
@renovate renovate bot changed the title fix(deps): update dependency jspdf to v3.0.2 [security] Update dependency jspdf to v3.0.2 [SECURITY] Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-jspdf-vulnerability branch from 5cce58a to a53a914 Compare October 21, 2025 09:32
@renovate renovate bot force-pushed the renovate/npm-jspdf-vulnerability branch from a53a914 to 07f1b04 Compare October 22, 2025 09:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies type:security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant