Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-25535
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-19 Feb, 2026 | 14:34
Updated At-19 Feb, 2026 | 16:03
Rejected At-
▼CVE Numbering Authority (CNA)
jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Affected Products
Vendor
parallax
Product
jsPDF
Versions
Affected
  • < 4.2.0
Problem Types
TypeCWE IDDescription
CWECWE-400CWE-400: Uncontrolled Resource Consumption
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-400
Description: CWE-400: Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-770
Description: CWE-770: Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj
x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6
x_refsource_MISC
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.2.0
x_refsource_MISC
Hyperlink: https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6
Resource:
x_refsource_MISC
Hyperlink: https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
Resource:
x_refsource_MISC
Hyperlink: https://github.com/parallax/jsPDF/releases/tag/v4.2.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found