CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...

@bpa-solutions/assistant (>=13.5.0 <=13.5.0-dev), @mazaal-dev/piece-markdown-to-pdf (=0.0.2) +1 more potentially affected by CVE-2025-65108 via md-to-pdf (>=5.0.1 <=5.2.4)

md-to-pdf NPM version =5.0.1, =13.5.0, =0.11.1, =0.11.2 Source cves: CVE-2025-65108 Source advisory: SNYK:JS-MDTOPDF-14089788...

Arbitrary Code Injection

Overview md-to-pdf is a CLI tool for converting Markdown files to PDF. Affected versions of this package are vulnerable to Arbitrary Code Injection via the gray-matter library when parsing front matter containing JavaScript delimiters. An attacker can execute arbitrary code in the Markdown-to-PDF...

GHSA-547R-QMJM-8HVW md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter

Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. Details md-to-pdf uses the gray-matter library to parse...

md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter

Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. Details md-to-pdf uses the gray-matter library to parse...

Exploit for CVE-2021-23639

Overview md-to-pdf is a CLI tool for converting Markdown fil...

@bitacode/apispecmd-ts (>=0.0.1 <=0.1.2), @layer0/node-license-report (>=0.0.0 <=0.0.3) +13 more potentially affected by CVE-2021-23639 via md-to-pdf (>=2.8.2 <=4.1.0)

md-to-pdf NPM version =2.8.2, =0.0.1, =0.0.0, =0.0.2, =0.0.2, =0.7.2, =1.0.1, =0.2.0, =0.1.0, =1.1.0, =0.2.0, =1.5.0, =1.10.0, =1.0.0, =0.0.2, =0.0.10 Source cves: CVE-2021-23639 Source advisory: OSV:GHSA-X949-7CM6-FM6P...

Code Injection in md-to-pdf.

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine...

GHSA-X949-7CM6-FM6P Code Injection in md-to-pdf.

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine...

CVE-2021-23639

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine...

CVE-2021-23639

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine...

Remote code execution

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine...

CVE-2021-23639

md-to-pdf before 5.0.0 is vulnerable to Remote Code Execution via gray-matter parsing of front matter without disabling the JS engine. Affected tool is the CLI md-to-pdf (Simonhaenisch) with PoC demonstrations and Snyk/Snyk-like advisories confirming RCE risk. The root cause is executing embedded...

CVE-2021-23639 Remote Code Execution (RCE)

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine...

Remote Code Execution (RCE)

Overview md-to-pdf is a CLI tool for converting Markdown files to PDF. Affected versions of this package are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine. PoC: bash //Before running poc.js: $ cat...