Platform
nodejs
Component
md-to-pdf
Fixed in
5.2.6
5.2.5
CVE-2025-65108 is a critical remote code execution (RCE) vulnerability affecting the md-to-pdf Node.js library. This vulnerability arises from the improper handling of JavaScript within Markdown front-matter blocks, allowing an attacker to inject and execute arbitrary code. Versions prior to 5.2.5 are vulnerable; upgrading to this version resolves the issue.
The vulnerability lies in how md-to-pdf utilizes the gray-matter library to parse Markdown front-matter. gray-matter allows JavaScript execution within front-matter blocks when specific delimiters (e.g., ---js or ---javascript) are present. An attacker can craft a malicious Markdown file containing JavaScript code within the front-matter. When md-to-pdf processes this file, the JavaScript will be executed within the context of the md-to-pdf process, granting the attacker complete control over the system. This could lead to data theft, system compromise, or further malicious activity. The blast radius extends to any application using md-to-pdf to convert Markdown to PDF, particularly those processing untrusted user input.
This vulnerability was publicly disclosed on 2025-11-20. Exploitation probability is considered high due to the ease of crafting malicious Markdown files and the widespread use of Node.js in web applications. No public proof-of-concept exploits have been released at the time of writing, but the vulnerability's nature suggests that such exploits are likely to emerge. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.56% (68% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 5.2.5 or later of the md-to-pdf library. If upgrading is not immediately feasible, consider implementing input validation to sanitize Markdown front-matter, specifically disallowing or escaping JavaScript delimiters. A Web Application Firewall (WAF) could be configured to block requests containing suspicious JavaScript code in the Markdown content. Monitor application logs for unusual process execution or unexpected behavior following Markdown processing. After upgrading, confirm the fix by attempting to process a test Markdown file containing a known malicious JavaScript payload within the front-matter; the payload should not execute.
Update the md-to-pdf library to version 5.2.5 or higher. This will fix the remote code execution vulnerability caused by insecure front matter parsing. Run `npm install md-to-pdf@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-65108 is a critical remote code execution vulnerability in the md-to-pdf Node.js library. Malicious JavaScript in Markdown front-matter can be executed, allowing attackers to take control of the system.
You are affected if you are using md-to-pdf versions prior to 5.2.5 and processing untrusted Markdown input.
Upgrade to version 5.2.5 or later of the md-to-pdf library. Implement input validation to sanitize Markdown front-matter if immediate upgrade is not possible.
While no public exploits have been released, the vulnerability's ease of exploitation suggests active exploitation is likely.
Refer to the md-to-pdf project's repository or website for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.