Security vulnerability in jsPDF

[012git012]

Hello!

We'd like to notify you that a security vulnerability was discovered in jsPDF. We have prepared a report with technical details about the discovered vulnerability. We are ready to provide you the report as soon as possible.

We have tried to contact 'lukas.hollaender@yworks.com' and 'james@parall.ax' as provided in the Security Policy, but have had no replies.

Please specify the current address to which the report should be sent.

Thank you for cooperation.

[JakeLaCombe]

I'm getting this as well, related to canvg.

[MrRio]

What email address did you send details from?

[JakeLaCombe]

I sent one to lukas

[rescarabel0]

having problems with canvg too guys (GHSA-v2mw-5mch-w8c5)

[ben-jackson5611]

Maybe one day #3770

[rakleed]

canvg fixed it in https://github.com/canvg/canvg/releases/tag/v4.0.3, needs to be upgraded in jsPDF now

[NazeerHussain-Bentley]

same here, facing a security issue due to jspdf dependency on canvg
since canvg fixed
can someone fix jspdf too?

[Zertz]

canvg fixed it in https://github.com/canvg/canvg/releases/tag/v4.0.3, needs to be upgraded in jsPDF now

It would need to be a breaking change because upgrading canvg requires dropping UMD support: https://github.com/canvg/canvg/releases/tag/v4.0.0

[mhamendes]

No breaking changes needed, there's a v3 update fixing the security issue as well.

https://github.com/canvg/canvg/releases/tag/v3.0.11

[savv]

@HackbrettXXX would it be possible to have a release?

[pchigrin]

Ticket CVE-2025-25977 doesn't consider canvg v3.x safe at all. But it should I guess.

[rescarabel0]

Ticket CVE-2025-25977 doesn't consider canvg v3.x safe at all. But it should I guess.

yeah i have a feeling npm audit is going to keep complaining if canvg isnt >=v4.0.3