jsPDF Node.js Local File Inclusion Vulnerability

A local file inclusion vulnerability allowing path traversal has been identified in the jsPDF library's Node.js build, prior to version 4.0.0. This issue arises from user control over the first argument of the loadFile method, which can be exploited to access arbitrary files on the local filesystem where the Node process is running. The contents of these files are then included verbatim in the generated PDFs. Other methods affected by this vulnerability include addImage, html, and addFont. The issue has been patched in jsPDF version 4.0.0, which restricts filesystem access by default.

Impact

Exploitation of this vulnerability allows for unauthorized access to local files, which are then included in PDF documents created by jsPDF. This could lead to the unintentional disclosure of sensitive information contained within those files.

Reproduction

To reproduce this vulnerability, load the jsPDF library in a Node.js environment and use the loadFile method to specify a file path that points to a sensitive file on the local filesystem. The contents of the file will be read and included in the generated PDF. Alternatively, the addImage method can be used to achieve the same effect by specifying a path to an image file that is actually a text file containing sensitive information.

Remediation

Users can update to jsPDF version 4.0.0 or later, which addresses this vulnerability by default. For those using earlier versions of Node.js, it is recommended to sanitize file paths before passing them to jsPDF.