jsPDF Denial-of-Service Vulnerability via Malicious GIF Dimensions

A denial-of-service vulnerability has been identified in jsPDF versions prior to 4.2.0. The issue arises in the 'gif_support.js' module, where the library fails to validate image dimensions in the GIF header. This allows users to upload harmful GIF files with exaggerated dimensions, leading to excessive memory allocation and out-of-memory errors. The vulnerability can be exploited through the 'addImage' method, and also affects the 'html' method. When exploited, this issue causes browser tabs to freeze or crash, or exhausts the heap memory of a Node.js process, disrupting PDF generation services.

Impact

Exploitation of this vulnerability causes browser tabs to freeze or crash, leading to a loss of unsaved data. In server-side Node.js environments, it can exhaust the process's heap memory, causing a crash and a complete outage of the PDF generation service.

Reproduction

To reproduce this vulnerability, create a GIF file with large width and height entries in the header, such as 65535x65535 pixels. This can be done by hex-editing a minimal GIF file to alter the dimension values. Once the malicious GIF is prepared, it can be uploaded using the 'addImage' method of jsPDF, which will trigger the denial-of-service condition by causing a range error due to invalid array lengths or by terminating the process altogether.

Remediation

Upgrade jsPDF to version 4.2.0 or later. Users can also implement maximum dimension constraints before passing image data to the GIF processor.