GHSA-H3Q6-JFRG-3X6Q
Vulnerability from github – Published: 2026-02-04 20:07 – Updated: 2026-02-05 21:47
VLAI?
Summary
survey-pdf Upgraded jsPDF Version Due to Security Vulnerability
Details
The following security vulnerability was identified in jsPDF versions <=3.0.4: Local File Inclusion/Path Traversal.
Impact
Since SurveyJS PDF Generator depends on jsPDF, any project using survey-pdf v1.12.58 and lower or v2.5.4 and lower could be exposed to this vulnerability.
Solution
SurveyJS PDF Generator has upgraded jsPDF to version >= 4.0.0 and included the fix in the following survey-pdf releases:
Action
Users should upgrade survey-pdf in their projects to v1.12.59+ or v2.5.5+ immediately.
Notes
No other survey-pdf dependencies are affected. This update is fully backward-compatible with previous survey-pdf releases.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.58"
},
"package": {
"ecosystem": "npm",
"name": "survey-pdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.59"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5.4"
},
"package": {
"ecosystem": "npm",
"name": "survey-pdf"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25630"
],
"database_specific": {
"cwe_ids": [
"CWE-35",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T20:07:34Z",
"nvd_published_at": "2026-02-05T19:15:56Z",
"severity": "CRITICAL"
},
"details": "The following security vulnerability was identified in jsPDF versions \u003c=3.0.4: [Local File Inclusion/Path Traversal](https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2).\n\n### Impact\n\nSince SurveyJS PDF Generator depends on jsPDF, any project using `survey-pdf` v1.12.58 and lower or v2.5.4 and lower could be exposed to this vulnerability.\n\n### Solution\n\nSurveyJS PDF Generator has upgraded jsPDF to version \u003e= 4.0.0 and included the fix in the following `survey-pdf` releases:\n\n* [v1.12.59](https://www.npmjs.com/package/survey-pdf/v/1.12.59)\n* [v2.5.5](https://www.npmjs.com/package/survey-pdf/v/2.5.5)\n\n### Action\n\nUsers should upgrade `survey-pdf` in their projects to v1.12.59+ or v2.5.5+ immediately.\n\n### Notes\n\nNo other `survey-pdf` dependencies are affected. This update is fully backward-compatible with previous `survey-pdf` releases.",
"id": "GHSA-h3q6-jfrg-3x6q",
"modified": "2026-02-05T21:47:25Z",
"published": "2026-02-04T20:07:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2"
},
{
"type": "WEB",
"url": "https://github.com/surveyjs/survey-pdf/security/advisories/GHSA-h3q6-jfrg-3x6q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25630"
},
{
"type": "PACKAGE",
"url": "https://github.com/surveyjs/survey-pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "survey-pdf Upgraded jsPDF Version Due to Security Vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…