CVE-2025-29907

CVE-2025-29907 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 3.0.1. The vulnerability arises from user control over the first argument of the addImage method, which can lead to high CPU utilization and denial of service when unsanitized image URLs, such as harmful data-URLs, are passed to it. The html and addSvgAsImage methods are also affected. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWEs 400 (Uncontrolled Resource Consumption) and 770 (Allocation of Resources Without Limits or Throttling).

An attacker can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. By supplying a malicious data-URL to the affected methods in an application using vulnerable jsPDF versions, the attacker triggers excessive CPU consumption, resulting in denial of service that disrupts PDF generation and potentially impacts the hosting application's availability.

The vulnerability was fixed in jsPDF version 3.0.1. The GitHub security advisory (GHSA-w532-jxjh-hjhj) and the fixing commit (b167c43c27c466eb914b927885b06073708338df) detail the patch, recommending immediate upgrades to the patched version for mitigation.