CVE-2026-25535

UNKNOWN 0.0

jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

CWE	CWE-400 CWE-770
Vendor	parallax
Product	jspdf
Published	Feb 19, 2026
Last Updated	Feb 19, 2026

Stay Ahead of the Next One

Get instant alerts for parallax jspdf

Be the first to know when new unknown vulnerabilities affecting parallax jspdf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

parallax / jsPDF

< 4.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj github.com: https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6 github.com: https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md github.com: https://github.com/parallax/jsPDF/releases/tag/v4.2.0