CVE-2026-25535 – jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions

CVE ID : CVE-2026-25535

Published : Feb. 19, 2026, 2:34 p.m. | 26 minutes ago

Description : jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…