cbcvebase.
CVE-2025-65108
published 2025-11-21

CVE-2025-65108: md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that…

PriorityP269critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.90%
55.0th percentile
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5.

Affected

2 ranges
VendorProductVersion rangeFixed in
simonhaenischmd-to-pdf< 5.2.55.2.5
simonhaenischmd-to-pdf>= 0 < 5.2.55.2.5
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.