Vulnerabilities

 1 via 1 paths

Dependencies

 90

Source

 GitHub

Commit

 43070c10

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

critical severity
new

External Control of File Name or Path

  • Vulnerable module: jspdf
  • Introduced through: jspdf@3.0.4

Detailed paths

  • Introduced through: @terrestris/react-geo@terrestris/react-geo#43070c10aedb52e381e6d75ea9c2390e6e7637a6 jspdf@3.0.4
    Remediation: Upgrade to jspdf@4.0.0.

Overview

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to External Control of File Name or Path via the loadFile, addImage, html and addFont functions. An attacker can access and include arbitrary files from the local file system into generated PDFs.

Workaround

This vulnerability can be mitigated by using the Node.js --permission flag in production environments (available in Node.js v20.0.0 and stable since v22.13.0/v23.5.0/v24.0.0).

Remediation

Upgrade jspdf to version 4.0.0 or higher.

References

External Control of File Name or Path vulnerability report