CVE-2025-65108
published 2025-11-21CVE-2025-65108: md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that…
PriorityP269critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.90%
55.0th percentile
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simonhaenisch | md-to-pdf | < 5.2.5 | 5.2.5 |
| simonhaenisch | md-to-pdf | >= 0 < 5.2.5 | 5.2.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
osv·2025-11-20
CVE-2025-65108 [CRITICAL] md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
### Summary
A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of **md-to-pdf** library, resulting in remote code execution.
### Details
**md-to-pdf** uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.
### PoC
```
const { mdToPdf } = require('md-to-pdf');
GHSA
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
ghsa·2025-11-20
CVE-2025-65108 [CRITICAL] CWE-94 md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
### Summary
A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of **md-to-pdf** library, resulting in remote code execution.
### Details
**md-to-pdf** uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.
### PoC
```
const { mdToPdf } = require('md-to-pdf');
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-21
Published