jsPDF Affected by Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder
Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jspdfnpm | < 4.1.0 | 4.1.0 |
Affected products
1Patches
1ae4b93f76d8fMerge commit from fork
2 files changed · +11 −4
src/libs/BMPDecoder.js+9 −4 modified@@ -79,11 +79,16 @@ BmpDecoder.prototype.parseHeader = function() { BmpDecoder.prototype.parseBGR = function() { this.pos = this.offset; - try { - var bitn = "bit" + this.bitPP; - var len = this.width * this.height * 4; - this.data = new Uint8Array(len); + var bitn = "bit" + this.bitPP; + var len = this.width * this.height * 4; + + if (len > 512 * 1024 * 1024) { + throw new Error("Image dimensions exceed 512MB, which is too large."); + } + this.data = new Uint8Array(len); + + try { this[bitn](); } catch (e) { console.log("bit decode error:" + e);
src/modules/addimage.js+2 −0 modified@@ -781,6 +781,8 @@ import { atob } from "../libs/AtobBtoa.js"; * @param {string} compression compression of the generated JPEG, can have the values 'NONE', 'FAST', 'MEDIUM' and 'SLOW' * @param {number} rotation rotation of the image in degrees (0-359) * + * @throws {Error} if the input is invalid, such as invalid image data. + * * @returns jsPDF */ jsPDFAPI.addImage = function() {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-95fx-jjr5-f39cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24133ghsaADVISORY
- github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0dghsax_refsource_MISCWEB
- github.com/parallax/jsPDF/releases/tag/v4.1.0ghsax_refsource_MISCWEB
- github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.