CVE-2025-65108

Name of the Vulnerable Software and Affected Versions md-to-pdf versions prior to 5.2.5

Description md-to-pdf is a command-line interface (CLI) tool used for converting Markdown files to PDF format, utilizing Node.js and a headless Chrome browser. A flaw exists in how the tool processes Markdown front-matter blocks. Specifically, when a front-matter block contains JavaScript delimiters, the JavaScript engine within the gray-matter library is triggered, leading to the execution of arbitrary code within the md-to-pdf conversion process. This can result in remote code execution (RCE). The gray-matter library parses front-matter, and when triggered by specific delimiters (like ---js or ---javascript), it evaluates the contents as JavaScript. If a user provides malicious JavaScript within the front-matter of a Markdown file, this code will be executed during the conversion process. A proof-of-concept (PoC) demonstrates the ability to launch the calculator application on Windows systems, confirming the potential for arbitrary code execution. This issue impacts the process responsible for Markdown-to-PDF conversion.

Recommendations Versions prior to 5.2.5: Upgrade to version 5.2.5 or later to resolve this issue.