Critical Vulnerability in jsPDF Exposes Sensitive Data via Local File Inclusion A severe vulnerability in the jsPDF library, tracked as CVE-2025-68428 (CVSS 9.2), allows attackers to steal sensitive files from the local filesystem by embedding them in generated PDFs. The flaw stems from a local file inclusion and path traversal issue in jsPDF versions prior to 4.0.0, where unsanitized user input passed to the `loadFile` function enables unauthorized file access. The jsPDF library, widely used for JavaScript-based PDF generation, has over 3.5 million weekly downloads on npm. The vulnerability affects Node.js builds (`dist/jspdf.node.js` and `dist/jspdf.node.min.js`), where the `loadFile` function—used for reading local files—can be exploited if file paths are dynamically controlled by users. Additional methods, including `addImage`, `html`, and `addFont`, are also impacted, as they internally call `loadFile`. Exploitation risk is mitigated if file paths are hardcoded, sourced from trusted configurations, or restricted via allowlists. However, the jsPDF team warns that the vulnerability could be actively exploited given the library’s widespread adoption. The issue was patched in jsPDF 4.0.0, which restricts filesystem access by default and relies on Node.js’s experimental permission model. For full protection, developers are advised to use Node.js 22.13.0, 23.5.0, or 24.0.0 and later, as earlier versions lack stable permission controls. While enabling the `--permission` flag is a suggested workaround, it applies globally to the Node.js process, not just jsPDF. Overly permissive `--allow-fs-read` configurations may also undermine the fix. For older Node.js versions, the jsPDF team recommends sanitizing user-provided paths before passing them to the library. Security firm Endor Labs highlighted the flaw in a technical report, emphasizing the need for strict input validation to prevent exploitation.