Skip to content

fix(security): update jspdf to 4.0.0 to address CVE-2025-68428 #37533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Nancy-Chauhan wants to merge 1 commit into from
Closed

fix(security): update jspdf to 4.0.0 to address CVE-2025-68428 #37533

Nancy-Chauhan wants to merge 1 commit into from
+12,635 −13,433

Conversation

@Nancy-Chauhan
Copy link

@Nancy-Chauhan Nancy-Chauhan commented Jan 28, 2026
edited
Loading

Summary

Updates the transitive dependency jspdf from ^3.0.2 to ^4.0.0 to fix a critical security vulnerability.

CVE-2025-68428: Local File Inclusion/Path Traversal vulnerability in jsPDF that could allow arbitrary file reads in Node.js environments.

Changes

  • Updated jspdf version constraint in superset-frontend/package.json from ^3.0.2 to ^4.0.0

Impact Assessment

Low risk of breakage:

  • Superset uses jspdf indirectly through dom-to-pdf for browser-based PDF export
  • The jspdf v4.0.0 breaking change only affects Node.js file system access (which is the vulnerability fix)
  • No API changes for browser-based PDF generation
  • The PDF export functionality (downloadAsPdf.ts) should continue working without modification

Security Advisory

Test Plan

  • Run existing frontend tests
  • Verify PDF export functionality works (Dashboard → Export to PDF)
  • Run npm audit to confirm vulnerability is resolved

@bito-code-review
Copy link
Contributor

bito-code-review bot commented Jan 28, 2026
edited
Loading

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

@Nancy-Chauhan
fix(security): update jspdf to 4.0.0 to address CVE-2025-68428
ef52435 
Updates jspdf from 3.0.2 to 4.0.0 to fix a critical Local File
Inclusion/Path Traversal vulnerability (CVE-2025-68428).

**Vulnerability:** jsPDF <= 3.0.4 allows attackers to read arbitrary
files from the server via unsanitized paths in loadFile, addImage,
addFont, and html methods.

**Impact:** Sensitive files could be embedded in generated PDFs.

**Fix:** jsPDF 4.0.0 restricts file system access by default.

Reference: GHSA-f8cm-6447-x5h2
@Nancy-Chauhan Nancy-Chauhan force-pushed the fix/security-jspdf-cve-2025-68428 branch from 5e882de to ef52435 Compare January 29, 2026 00:36
@sfirke
Copy link
Member

sfirke commented Jan 29, 2026

Something may have gone wrong with git, this PR is showing 25k lines of code changes in package-lock.json. Could you try to remedy that? Feel free to close this and open a new PR if needed.

@Nancy-Chauhan
Copy link
Author

Nancy-Chauhan commented Jan 29, 2026

Something may have gone wrong with git, this PR is showing 25k lines of code changes in package-lock.json. Could you try to remedy that? Feel free to close this and open a new PR if needed.

Thanks for the feedback! You were right.

I've opened a new PR with a clean diff: #37553. Closing this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies:npm size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Nancy-Chauhan @sfirke