CVE-2025-65108
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Description
### Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of **md-to-pdf** library, resulting in remote code execution. ### Details **md-to-pdf** uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code. ### PoC ``` const { mdToPdf } = require('md-to-pdf'); var payload = '---javascript\n((require("child_process")).execSync("calc.exe"))\n---RCE'; (async () => { await mdToPdf({ content: payload }, { dest: './output.pdf'}); })(); ``` Running the PoC on Windows launches the calculator application, demonstrating arbitrary code execution. ### Impact - Remote code execution in the process that performs Markdown->PDF conversion. - If the converter is run in a web app or cloud service, an attacker uploading malicious Markdown can execute arbitrary commands on the
How to fix CVE-2025-65108
To remediate CVE-2025-65108, upgrade the affected package to a fixed version below.
- —upgrade to 5.2.5 or later
Is CVE-2025-65108 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.2.5