Listen to this Post
The vulnerability exists within the `addImage` and `html` methods of the jsPDF library. When processing a BMP image, the library reads the image’s width and height fields from the file header without imposing sufficient validation or bounds checks. An attacker can craft a malicious BMP file with artificially large values (e.g., 0xFFFFFFFF) declared in these header fields. When jsPDF attempts to allocate a pixel buffer for this image, it calculates the required memory as width height bytes per pixel. This calculation with the maliciously large dimensions results in an attempt to allocate an impossibly large amount of memory (e.g., several exabytes). This triggers an out-of-memory (OOM) error in the Node.js or browser environment, causing the application to crash or become unresponsive, leading to a Denial of Service (DoS). The vulnerability is directly exploitable if user-supplied, unsanitized image data is passed to these vulnerable methods.
Platform: jsPDF
Version: < 4.1.0
Vulnerability: BMP DoS
Severity: High
date: 2024-05-16
Prediction: Patched 2024-05-16
What Undercode Say:
npm list jspdf npm audit npm update jspdf@latest
// Check for vulnerable version
const pkg = require('./package.json');
if (semver.lt(pkg.dependencies.jspdf, '4.1.0')) {
console.log('Vulnerable version detected.');
}
How Exploit:
const maliciousBMPHeader = new ArrayBuffer(54); const headerView = new DataView(maliciousBMPHeader); // Set width and height to extremely large values headerView.setUint32(18, 0xFFFFFFFF, true); // Width headerView.setUint32(22, 0xFFFFFFFF, true); // Height // Prepend malicious header to any BMP data payload const payload = concatenateBuffers(maliciousBMPHeader, bmpData); doc.addImage(payload, 'BMP', 0, 0, 100, 100);
Protection from this CVE
Upgrade to jsPDF version 4.1.0 or later. Implement server-side validation and sanitization of all user-uploaded image files, verifying image dimensions before processing. Consider converting user-supplied images to a safe format using a trusted library before passing them to jsPDF.
Impact:
Denial of Service (DoS) via application crash or freeze due to memory exhaustion.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

