Regular Expression Denial of Service (ReDoS)
Description
This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2021-23353 is a Regular Expression Denial of Service (ReDoS) vulnerability in jsPDF's addImage function, allowing attackers to cause excessive CPU consumption.
The vulnerability is a Regular Expression Denial of Service (ReDoS) in the jsPDF library, specifically within the addImage function. The library uses a regular expression that can exhibit catastrophic backtracking when processing specially crafted input, leading to excessive CPU consumption [1][3].
An attacker can exploit this by providing a malicious image data string to the addImage function. No authentication is required if the application accepts user-supplied image data. The attack can be performed remotely by sending a crafted request that triggers the vulnerable regex [2][4].
Successful exploitation results in a denial of service condition, where the application becomes unresponsive due to high CPU usage. This can impact availability for legitimate users [3].
The issue was fixed in jsPDF version 2.3.1. Users should upgrade to the latest version. The fix is available in the GitHub repository [1]. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jspdfnpm | < 2.3.1 | 2.3.1 |
Affected products
2- jspdf/jspdfdescription
Patches
1d8bb3b39efcdfix ReDoS-vulnerable regexp in addImage (#3091)
1 file changed · +1 −1
src/modules/addimage.js+1 −1 modified@@ -630,7 +630,7 @@ import { atob, btoa } from "../libs/AtobBtoa.js"; var result = null; if (dataUrlParts.length === 2) { - var extractedInfo = /^data:(\w*\/\w*);*(charset=[\w=-]*)*;*$/.exec( + var extractedInfo = /^data:(\w*\/\w*);*(charset=(?!charset=)[\w=-]*)*;*$/.exec( dataUrlParts[0] ); if (Array.isArray(extractedInfo)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-57f3-gghm-9mhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23353ghsaADVISORY
- github.com/MrRio/jsPDF/commit/d8bb3b39efcd129994f7a3b01b632164144ec43eghsax_refsource_MISCWEB
- github.com/MrRio/jsPDF/pull/3091ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1083289ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1083287ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-1083288ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1083286ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-JSPDF-1073626ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.