Patching may not be enough
The jsPDF maintainers addressed the issue in version 4.0.0 by restricting filesystem access by default. The fix relies on Node.js permission mode, which requires applications to explicitly grant read access to specific directories at runtime. When properly configured, this prevents jsPDF from accessing files outside approved paths.
However, this approach introduces operational complexity. Node.js permission mode is evolving, and many production environments either run older Node versions or have not adopted permission-based execution. “Many environments run older Node.js versions that lack stable permission mode support, and enabling –permission may break existing functionality if filesystem access patterns haven’t been carefully mapped,” the researchers noted.
The researchers outlined a set of steps to assess the exploitability of their deployments, which includes verifying if jsPDF is being used server-side ( as it is unexploitable on the client side), checking if the running version already implements permission mode and has filesystem permission properly configured, identifying affected code paths with SCA tools, and manual searching of the vulnerable codebase.
