Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability in jsPDF #3834

Closed
012git012 opened this issue Mar 10, 2025 · 14 comments · Fixed by #3836
Closed

Security vulnerability in jsPDF #3834

012git012 opened this issue Mar 10, 2025 · 14 comments · Fixed by #3836

Comments

@012git012
Copy link

Hello!

We'd like to notify you that a security vulnerability was discovered in jsPDF. We have prepared a report with technical details about the discovered vulnerability. We are ready to provide you the report as soon as possible.

We have tried to contact '[email protected]' and '[email protected]' as provided in the Security Policy, but have had no replies.

Please specify the current address to which the report should be sent.

Thank you for cooperation.
@JakeLaCombe
Copy link

I'm getting this as well, related to canvg.

@MrRio
Copy link
Member

MrRio commented Mar 12, 2025

What email address did you send details from?

@JakeLaCombe
Copy link

I sent one to lukas

@rescarabel0
Copy link

having problems with canvg too guys (GHSA-v2mw-5mch-w8c5)

@ben-jackson5611
Copy link

Maybe one day #3770

@rakleed
Copy link

rakleed commented Mar 12, 2025

canvg fixed it in https://github.com/canvg/canvg/releases/tag/v4.0.3, needs to be upgraded in jsPDF now

@NazeerHussain-Bentley
Copy link

same here, facing a security issue due to jspdf dependency on canvg
since canvg fixed
can someone fix jspdf too?

@Zertz
Copy link

Zertz commented Mar 13, 2025

canvg fixed it in https://github.com/canvg/canvg/releases/tag/v4.0.3, needs to be upgraded in jsPDF now

It would need to be a breaking change because upgrading canvg requires dropping UMD support: https://github.com/canvg/canvg/releases/tag/v4.0.0

@mhamendes
Copy link

No breaking changes needed, there's a v3 update fixing the security issue as well.

https://github.com/canvg/canvg/releases/tag/v3.0.11

@savv
Copy link

savv commented Mar 13, 2025

@HackbrettXXX would it be possible to have a release?

@ninooppgeorge ninooppgeorge mentioned this issue Mar 14, 2025
Merged
@pchigrin
Copy link

Ticket CVE-2025-25977 doesn't consider canvg v3.x safe at all. But it should I guess.

@rescarabel0
Copy link

Ticket CVE-2025-25977 doesn't consider canvg v3.x safe at all. But it should I guess.

yeah i have a feeling npm audit is going to keep complaining if canvg isnt >=v4.0.3

This was referenced Mar 14, 2025
Closed
Merged
@willyt150
Copy link

Ticket CVE-2025-25977 doesn't consider canvg v3.x safe at all. But it should I guess.

Looks like it's been updated to call out 3.0.11 as a patched version as well.

@HackbrettXXX
Copy link
Collaborator

We've updated to [email protected] in #3836. I'll publish it this week.

billhimmelsbach added a commit to cfpb/hmda-frontend that referenced this issue Mar 20, 2025
@billhimmelsbach
Merge pull request #2440 from cfpb/2439-high-and-moderate-security-fixes
5e15050 
chore(deps): resolve outstanding high and moderate security vulnerabilities

Let's fix up the remaining high and moderate severity vulnerabilities. This goes through and cherry-picks commits from dependabot PRs and combines it with a few that had to be manually fixed.

🚀 Currently on Dev as v3.2.3h 🚀

## Changes

### Dependabot cherry-picked commits
- micromatch from 4.0.7 to 4.0.8 
- nanoid from 3.3.7 to 3.3.8 
- path-to-regexp from 1.8.0 to 1.9.0 
- @babel/runtime from 7.24.8 to 7.26.10 
- vite from 5.4.7 to 5.4.12 
- elliptic from 6.5.6 to 6.6.1 

### Manual dependency bumps
- chore(deps): resolve esbuild to 0.25.0
  - see vitejs/vite#19412 for explanation
- chore(deps): resolve dompurify to 3.2.4
  - see parallax/jsPDF#3825 for explanation
- chore(deps): resolve canvg to 3.0.11
  - see parallax/jsPDF#3834 for explanation
  - bumping this to 3.0.11 won't get rid of the dependabot alert, but does fix the vulnerability. We'll wait for [the jspdf patch](parallax/jsPDF#3834).

## Testing

1. Do the tests still pass on Dev?
_Looks like only the expected tests to fail on Dev are failing_
![Screenshot 2025-03-17 at 5 24 30 PM](https://github.com/user-attachments/assets/26695629-cf42-463d-8eae-93ac2525d924)

2. Does the site still behave normally?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade canvg from 3.0.6 to 3.0.11 ninooppgeorge/jsPDF