Platform
nodejs
Component
md-to-pdf
Opgelost in
5.2.6
5.2.5
CVE-2025-65108 is a critical remote code execution (RCE) vulnerability affecting the md-to-pdf Node.js library. This vulnerability arises from the improper handling of JavaScript within Markdown front-matter blocks, allowing an attacker to inject and execute arbitrary code. Versions prior to 5.2.5 are vulnerable; upgrading to this version resolves the issue.
The vulnerability lies in how md-to-pdf utilizes the gray-matter library to parse Markdown front-matter. gray-matter allows JavaScript execution within front-matter blocks when specific delimiters (e.g., ---js or ---javascript) are present. An attacker can craft a malicious Markdown file containing JavaScript code within the front-matter. When md-to-pdf processes this file, the JavaScript will be executed within the context of the md-to-pdf process, granting the attacker complete control over the system. This could lead to data theft, system compromise, or further malicious activity. The blast radius extends to any application using md-to-pdf to convert Markdown to PDF, particularly those processing untrusted user input.
This vulnerability was publicly disclosed on 2025-11-20. Exploitation probability is considered high due to the ease of crafting malicious Markdown files and the widespread use of Node.js in web applications. No public proof-of-concept exploits have been released at the time of writing, but the vulnerability's nature suggests that such exploits are likely to emerge. It is not currently listed on CISA KEV.
Applications built with Node.js that utilize the md-to-pdf library to convert Markdown to PDF are at risk. This includes content management systems, documentation generators, and any application processing untrusted Markdown input. Shared hosting environments where multiple applications share the same Node.js runtime are particularly vulnerable.
• nodejs / supply-chain:
npm audit md-to-pdf• nodejs / supply-chain:
yarn audit md-to-pdf• generic web:
Inspect application logs for any unusual process executions or errors related to Markdown processing. Look for patterns indicative of JavaScript execution within the md-to-pdf process.
• generic web:
Monitor network traffic for requests containing Markdown content with suspicious JavaScript delimiters in the front-matter.
disclosure
Exploit Status
EPSS
0.56% (68% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to version 5.2.5 or later of the md-to-pdf library. If upgrading is not immediately feasible, consider implementing input validation to sanitize Markdown front-matter, specifically disallowing or escaping JavaScript delimiters. A Web Application Firewall (WAF) could be configured to block requests containing suspicious JavaScript code in the Markdown content. Monitor application logs for unusual process execution or unexpected behavior following Markdown processing. After upgrading, confirm the fix by attempting to process a test Markdown file containing a known malicious JavaScript payload within the front-matter; the payload should not execute.
Actualice la biblioteca md-to-pdf a la versión 5.2.5 o superior. Esto solucionará la vulnerabilidad de ejecución remota de código causada por el análisis inseguro del front matter. Ejecute `npm install md-to-pdf@latest` para actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-65108 is a critical remote code execution vulnerability in the md-to-pdf Node.js library. Malicious JavaScript in Markdown front-matter can be executed, allowing attackers to take control of the system.
You are affected if you are using md-to-pdf versions prior to 5.2.5 and processing untrusted Markdown input.
Upgrade to version 5.2.5 or later of the md-to-pdf library. Implement input validation to sanitize Markdown front-matter if immediate upgrade is not possible.
While no public exploits have been released, the vulnerability's ease of exploitation suggests active exploitation is likely.
Refer to the md-to-pdf project's repository or website for the official advisory and release notes.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.