Skip to content

fix(deps): update dependency jspdf to v3 [security] #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency jspdf to v3 [security] #213

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Nov 26, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
jspdf ^1.3.5 -> ^3.0.0 age confidence

Cross-site scripting in jspdf

CVE-2020-7690 / GHSA-vh59-v9r5-4mh4

More information

Details

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It's possible to inject JavaScript code via the html method.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Cross-site scripting in jspdf

CVE-2020-7691 / GHSA-3q6f-8grx-pr4v

More information

Details

It's possible to use nested script tags in order to bypass the filtering regex.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jspdf vulnerable to Regular Expression Denial of Service (ReDoS)

CVE-2021-23353 / GHSA-57f3-gghm-9mhc

More information

Details

This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF Bypass Regular Expression Denial of Service (ReDoS)

CVE-2025-29907 / GHSA-w532-jxjh-hjhj

More information

Details

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: html, addSvgAsImage.

Example payload:

import { jsPDF } from "jpsdf" 

const doc = new jsPDF();
const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined';

const startTime = performance.now()

try {
 doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} catch (err) {
  const endTime = performance.now()
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)
}

doc.save("a4.pdf");
Patches

The vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1

Workarounds

Sanitize image urls before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF Denial of Service (DoS)

CVE-2025-57810 / GHSA-8mvj-3j78-4qmw

More information

Details

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: html.

Example payload:

import { jsPDF } from "jspdf" 

const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154])

const doc = new jsPDF();
const startTime = performance.now();
try {
  doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} finally {
  const endTime = performance.now();
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`);
}
Patches

The vulnerability was fixed in jsPDF 3.0.2. Upgrade to jspdf@>=3.0.2.

In jspdf@>=3.0.2, invalid PNG files throw an Error instead of causing very long running loops.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

parallax/jsPDF (jspdf)

v3.0.2

Compare Source

This release fixes a security issue where parsing of corrupt PNG images could lead to long running loops and denial of service.

What's Changed

New Contributors

Full Changelog: parallax/jsPDF@v3.0.1...v3.0.2

v3.0.1

Compare Source

This release fixes two security vulnerabilities:

  • Upgrade optional dependency canvg to 3.0.11
  • Fix a ReDoS vulnerability in the addImage method and the methods html and addSvgAsImage, which depend on addImage

v3.0.0

Compare Source

This major release officially drops support for Internet Explorer and fixes a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4. There are no other breaking changes.

New Contributors

Full Changelog: parallax/jsPDF@v2.5.2...v3.0.0

v2.5.2

Compare Source

This release upgrades the Dompurify dependency to 2.5.4 with fixes a vulnerability with high severity: GHSA-mmhx-hmjr-r674.

It also upgrades fflate, core-js, and @​babel/runtime to more recent versions.

What's Changed

v2.5.1

Compare Source

This release fixes two security related issues.

  • #​3348: Check integrity when loading the pdfobject lib from CDN in calls to output('pdfobjectnewwindow')
  • #​3368: Fix inefficient regular expression in setDisplayMode (CWE-1333)

v2.5.0

Compare Source

This release adds some minor new features and fixes some bugs, e.g. related to multiline text. Thanks to all contributors!

New Features
  • #​3324 add getLineWidth function
  • #​3294: add horizontalScale option to text function
Bugfixes
  • #​3271: fix html function only rendering on the first invocation per document
  • #​3304, #​3295: fix context2D.closePath (now properly closes the path)
  • #​3274: fix Acroform text fields with multiline text
  • #​3281: fix textWithLink for multiline text
  • #​3283: fix lineHeightFactor in text options having no effect
  • #​3302: fixes to html typings
  • #​3272: fix return type of save function in typings (promise overload)

v2.4.0

Compare Source

This release brings long awaited improvements to the html function and many other bugfixes and improvements. Thanks to all contributors!

  • #​3203: Add width and windowWidth options to the html method, which will make correct scaling much easier.
  • #​2977: Add/implement margin option for html method and add autoPaging option with two different modes: 'slice' and 'text'.
  • #​3169: Add setLineDash and lineDashOffset to context2d.
  • #​3039: Add rowStart and cellStart events and headerTextColor property to `table' function
  • #​3132: Fix possibly negative line widths in context2d.
  • #​3217: Fix setFont with fontWeight parameter for the built-in basic fonts
  • #​3173: Fix violation of strict mode.
  • #​3121: Improve addImage performance.
  • #​3124: Allow to pass RGBA array to addImage.
  • #​3135: Fix possibly imbalanced render target stack with form objects.
  • #​3148: Add getDrawColor function to typings.
  • #​3149: Fix font name escaping.
  • #​3150: Throw an error when a zero size canvas is passed to addImage.
  • #​3168: Fix word spacing after justified text.
  • #​3215: Fix nullability of style arguments of geometry methods.
  • #​3108: Complete the jsPDFOptions type in the typings.
  • #​3119: Improve typings of the output function.

v2.3.1

Compare Source

Small bugfixes. Thanks to all contributors!

  • #​3073: fix HTMLAnchorElement is not defined in file saver
  • #​3078: fix exception in getTextDimensions() with maxWidth set
  • #​3087: fix typings of table() function
  • #​3091: fix ReDos vulnerability in addImage function
  • #​3099: improve documentation of output function

v2.3.0

Compare Source

A couple of bugfixes, improved font handling and faster compression.

  • #​3026: Fix alignment of links created with textWithLink
  • #​3032: Fix alignment of table headers
  • #​3062: Fix a bug where the options.flags parameter was ignored by the text method and consequently had the wrong defaults. This lead to garbled characters sometimes and was a regression to 1.5.3.
  • #​3014: Add typings for internal events API
  • #​3036: Support for numeric font weights and separation of font weight and font style
  • #​3040: New fontFaces option for the html method that allows to add fonts similar CSS @font-face rules (no addFont calls required anymore). When supplied, fonts are resolved using the CSS 3 font loading algorithm.
  • #​3054: replace pako library with fflate leading to faster compression and smaller bundle sizes.

v2.2.0

Compare Source

Incorporates many of the awesome contributions in context of the Hacktoberfest. Thanks to all the contributors!

  • #​2944: Fix PDF compression. Special thanks to @​markotaht!
  • #​2959: Add support for PDF encryption. Special thanks to @​owenl131!
  • #​3018: Fix font name escaping
  • #​3017: Fix dependencies in bower.json
  • #​3014: Added typings for the events API
  • #​2982: Bump dompurify version to fix cve-2020-7691
  • #​2981: Fix Canvg import
  • #​2946: Remove API, that was removed in the 2.0.0 release, also from the typings
  • #​2943: Fix links on pages with different size than the first page
  • #​2942: Fix multiline texts in combination with the maxWidth text option
  • #​2933, #​3021: Fix typings of exported types like ImageCompression
  • #​2915: Fix documentation of text method
  • #​2906: Fix "Could not load <module>" error messages
  • #​2905: Fix usages of atob/btoa in Internet Explorer and "old Edge"

v2.1.1

Compare Source

v2.1.0

Compare Source

v2.0.0

Compare Source

Finally a new release!

A lot has changed since the last release:

  • jsPDF is now co-maintained by yWorks and we merged the yWorks fork into this repo adding a lot of new features like patterns, matrices, simple path operations, etc. See the readme for details.
  • Modernized the output bundles: there are now bundles for ES modules, UMD and a special node version. We renamed the files in dist for consistency: jspdf.debug/min.js is now jspdf.umd(.min).js. We also changed the name of the global variable to jspdf (lower case) when using script tags to be consistent with the new es modules format and named imports/exports. For backwards compatibility add this line:
window.jsPDF = window.jspdf.jsPDF
  • Added typings for TypeScript support.
  • Removed APIs that were previously marked as deprecated. Namely: addHTML, fromHTML, html2pdf, addSvg, addButton, addTextField, addChoiceField, cellInitialize, setFontStyle, setFontType, clip_fixed.
  • Fixed the file-saver npm/bower install issue where jsPDF depended on a (non-existent) version directly from GitHub.
  • Made it compatible with all major toolkits and frameworks.
  • Refactored big parts of the code.
  • A lot of small and big bugfixes. Especially thanks to @​SmythConor, @​bwl21, @​32leaves, @​mktcode, @​durs, @​kakugiki, @​AdamGold and many others!

Here an (incomplete) list of additional bugfixes and changes:

  • #​2835: Fixed reading of compound glyphs when using custom fonts
  • #​2834: Fixed usage of custom fonts in context2d/when using the html method
  • #​2824: Added maxWidth parameter to getTextDimensions
  • #​2817: Fixed top margin in html method that occurred with html2canvas@​1.0.0-rc5
  • #​2816: Fixed escaping of font names with spaces
  • #​2702: Fix context2d lineWidth scaling
  • #​2806: Fix sanitizing of HTML passed as string to the html method
  • #​2797: Fix scaling issue with Acroform fields
  • #​2793: Fix autopaging issue in context2d with 10 or more pages
  • addImage and addFont accept now urls as parameters so the conversion to dataURLs is now only needed if you want to avoid CORS restrictions
  • WebP and JPEG Raw are now supported.
  • unnecessary data conversions are now reduced, so for example images should now render faster

There are some breaking changes in the API. But these are mostly API-methods which you should not use anyway.

While this release is a big step in the right direction, there are still many open issues (currently ~90). The maintainers of this repo (currently mostly @​HackbrettXXX) have very limited time and can't resolve them all without the help of the community. This is another shout out to the community: if you like this project and want to make it even more awesome, consider spending one or two hours on improving it. Pull requests are very much appreciated!

v1.5.3: "The One With Rebuilt Documentation"

Compare Source

v1.5.2: v.1.5.2 "The One Where Version Numbers Populate Correctly"

Compare Source

v1.5.1: Update documentation

Compare Source

v1.4.1: v.1.4.1 “The One Where Webpack Works Again”

Compare Source

Thanks to @​arasabbasi and @​dasaCoder. We've got another bugfix release:

  • Base64-validation of images fixed (ea4c174 )
  • Internal use of different css-colornames methods reduced to one (e43a913, 5d0b760)
  • Update canvg to recent version (e43a913)
  • Update context2d so that it can handle properly transform-method (e43a913)
  • Add methods to TextField and other Elements like var TextField = new jsPDF.API.AcroForm.TextField() or var TextField = new doc.AcroFormTextField(); in AcroForm.js
  • Hotfix html2canvas so that whitespace doesnt result in to corrupted PDF (31bb2fd)
  • Remove nodeJS-Loading-Method from addImage( Commit 7a1089a)
  • Added gif- and bmp-support (38b50f4)
  • Fixed a performance-leak in extractInfoFromBase64DataURI in addImage-Plugin (c0a5e3a)
  • Add fallback filetype to filetype recognition in getImageFileTypeByImageData in addImage.js (3d32fb7)
  • Add documentation to addImage.js (3d32fb7)
  • Add addSvgAsImage-method and renaming addSVG to addSvg, but keeping addSVG for backwards-compatibility to svg.js (3d32fb7)
  • Make build.js independent from git call (c2d8501)
  • Modify split_text_to_size.js and jspdf.js to handle unicode strings , add unit tests for methods of split_text_to_size (4efd59c, f03af75, 25e8330, f03af75)
  • Add unit tests for arabic-parser and fix bugs found by unit tests (fc81d12)

v1.4.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant