You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
react-to-pdf still pins [email protected], so projects importing this library inherit two publicly disclosed vulnerabilities (DoS and ReDoS) that were fixed in later releases.
Both advisories (jsPDF Denial of Service (DoS) and jsPDF Bypass Regular Expression Denial of Service (ReDoS)) describe payloads that exercise jsPDF’s addImage, html, or addSvgAsImage paths, which react-to-pdf exposes to downstream users.
Upgrading to jspdf@>=3.0.2 resolves the bypass and DoS issues simultaneously, making a dependency bump the safest mitigation.
Problem statement
Attackers can supply crafted data URLs or HTML snippets that keep jsPDF’s parsing logic busy, steadily consuming CPU and triggering a denial-of-service scenario during PDF generation.
Because react-to-pdf is a thin wrapper around jsPDF’s APIs, any consumer that passes untrusted content through this library is susceptible to the same DoS/ReDoS vector.
Remaining on [email protected] leaves both CVEs open: the original regular-expression based DoS and the bypass that was disclosed after 3.0.1 shipped.
Recommended fix
Update the jsPDF dependency in package.json to ^3.0.2 (or newer).
Refresh the lockfile so no older jsPDF versions remain in the dependency graph.
Publish a patch release to propagate the fix downstream.
References
GitHub Security Advisory: “jsPDF Denial of Service (DoS)” (npm) — surfaced via Dependabot alert
GitHub Security Advisory: “jsPDF Bypass Regular Expression Denial of Service (ReDoS)” (npm) — surfaced via Dependabot alert
