Affected versions of this package are vulnerable to External Control of File Name or Path via the loadFile, addImage, html and addFont functions. An attacker can access and include arbitrary files from the local file system into generated PDFs.
Workaround
This vulnerability can be mitigated by using the Node.js --permission flag in production environments (available in Node.js v20.0.0 and stable since v22.13.0/v23.5.0/v24.0.0).