jsPDF Denial-of-Service Vulnerability via Unvalidated BMP Image Dimensions

A denial-of-service vulnerability has been identified in jsPDF versions prior to 4.1.0. The issue arises in the 'addImage' method, where user control of the first argument allows the introduction of unsanitized image data or URLs. Malicious BMP files with large width and height entries can be used to exploit this vulnerability, leading to out-of-memory errors and causing the application to become unresponsive. The 'html' method is also affected. The vulnerability has been fixed in jsPDF version 4.1.0.

Impact

Exploitation of this vulnerability causes out-of-memory errors, leading to a denial-of-service condition where the application becomes unresponsive.

Reproduction

To reproduce this vulnerability, import the jsPDF library and create a new jsPDF document. Then, use the 'addImage' method to add a BMP image that has been crafted to include large dimensions in its header. This will trigger the vulnerability by causing excessive memory allocation.

Remediation

Users are advised to upgrade to jsPDF version 4.1.0 or later. Additionally, it is recommended to sanitize image data or URLs before passing them to the 'addImage' method or the 'html' method.