Critical Markdown to PDF Flaw (CVE-2025-65108, CVSS 10.0) Allows RCE via JS Injection in Markdown Front-Matter

A critical vulnerability (CVE-2025-65108) has been disclosed in the widely used Markdown to PDF npm package, a command-line tool with more than 47,000 weekly downloads. The flaw carries a maximum CVSS score of 10, enabling arbitrary JavaScript code execution through malicious front-matter parsing. Any application, build system, or cloud service that uses the package to process untrusted Markdown content is at serious risk.

According to the advisory, “A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process […] If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.”

The vulnerability stems from how the md-to-pdf package uses the popular gray-matter library to parse YAML/JSON front-matter blocks in Markdown. Gray-matter includes an optional JavaScript evaluation mode—normally disabled—but automatically activates when specific delimiters like —js or —javascript appear.

An attacker can therefore embed malicious JavaScript into the Markdown file’s front matter, turning a simple document upload into a full system compromise.

The advisory includes an especially clear and dangerous PoC demonstrating the flaw. The payload manipulates front-matter to execute arbitrary OS commands:

const { mdToPdf } = require('md-to-pdf');

var payload = '---javascript\n((require("child_process")).execSync("calc.exe"))\n---RCE';

(async () => {
	await mdToPdf({ content: payload }, { dest: './output.pdf'});
})();

This means that any server, CI/CD pipeline, or desktop tool that converts Markdown to PDF can be exploited simply by opening a malicious Markdown file.

All versions below 5.2.5 are vulnerable. Users should update immediately.

 Related Posts:

• W2 Form Phishing Campaign Delivers Brute Ratel and Latrodectus Malware
• ChatGPT Reaches 800 Million Weekly Users, Cementing Dominance in Generative AI Adoption

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy