The jsPDF library, commonly used for generating PDFs in JavaScript applications, has a serious vulnerability tracked as CVE-2025-68428. This flaw allows attackers to exploit local file inclusion and path traversal issues in versions prior to 4.0. The vulnerability scores 9.2 on the severity scale, indicating its potential for misuse. The problem lies in how the library's 'loadFile' function processes user-controlled input for file paths, which can lead to sensitive data being embedded in generated PDFs. Other functions like 'addImage' and 'html' are also at risk since they can invoke 'loadFile'. The vulnerability predominantly affects Node.js builds of jsPDF, specifically the dist/jspdf.node.js and dist/jspdf.node.min.js files. According to a report by Endor Labs, the likelihood of exploitation is low if developers implement strict controls, such as hardcoding file paths or using trusted configurations. The jsPDF team has addressed the issue in version 4.0.0 by limiting filesystem access by default and suggesting the use of Node.js permission mode, which is still experimental in Node 20. Users are encouraged to upgrade to versions 22.13.0, 23.5.0, or 24.0.0 to reduce risk. However, using the suggested '--permission' flag affects the entire Node.js process, not just jsPDF, which could create additional security risks. Additionally, overly permissive settings with the '--allow-fs-read' flag can undermine the fix. The jsPDF team advises users of older Node versions to sanitize user inputs before passing them to the library. Given jsPDF's widespread use, this vulnerability poses a significant concern for many developers.