Update dependency jspdf to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jspdf	2.5.1 → 3.0.1

---

jsPDF Bypass Regular Expression Denial of Service (ReDoS)

CVE-2025-29907 / GHSA-w532-jxjh-hjhj

More information

Details

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: html, addSvgAsImage.

Example payload:

import { jsPDF } from "jpsdf" 

const doc = new jsPDF();
const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined';

const startTime = performance.now()

try {
 doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} catch (err) {
  const endTime = performance.now()
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)
}

doc.save("a4.pdf");

Patches

The vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1

Workarounds

Sanitize image urls before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj
• https://github.com/parallax/jsPDF/commit/b167c43c27c466eb914b927885b06073708338df
• https://nvd.nist.gov/vuln/detail/CVE-2025-29907
• https://github.com/advisories/GHSA-w532-jxjh-hjhj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

parallax/jsPDF (jspdf)

v3.0.1

Compare Source

This release fixes two security vulnerabilities:

• Upgrade optional dependency canvg to 3.0.11
• Fix a ReDoS vulnerability in the addImage method and the methods html and addSvgAsImage, which depend on addImage

v3.0.0

Compare Source

This major release officially drops support for Internet Explorer and fixes a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4. There are no other breaking changes.

New Contributors

• @​nlqivision made their first contribution in #​3812
• @​dependabot made their first contribution in #​3826
• @​hainenber made their first contribution in #​3827

Full Changelog: parallax/jsPDF@v2.5.2...v3.0.0

v2.5.2

Compare Source

This release upgrades the Dompurify dependency to 2.5.4 with fixes a vulnerability with high severity: GHSA-mmhx-hmjr-r674.

It also upgrades fflate, core-js, and @​babel/runtime to more recent versions.

What's Changed

• Implement justifying for unicode fonts by @​owenl131 in #​3285
• chore: update dompurify version 2.5.4 by @​MarcioMeier in #​3768
• [Snyk] Upgrade fflate from 0.4.8 to 0.8.1 by @​MrRio in #​3666
• [Snyk] Upgrade core-js from 3.6.5 to 3.33.0 by @​MrRio in #​3664
• [Snyk] Upgrade @​babel/runtime from 7.14.6 to 7.23.2 by @​MrRio in #​3665

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.