CVE-2025-65108: 
JavaScript vulnerability analysis and mitigation

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a critical vulnerability (CVE-2025-65108) was discovered where a Markdown front-matter block containing JavaScript delimiter could trigger arbitrary code execution in the converter process. This vulnerability was disclosed on November 20, 2025, affecting all versions below 5.2.5 (GitHub Advisory).

The vulnerability stems from md-to-pdf's use of the gray-matter library to parse front-matter. The gray-matter library includes a JavaScript engine that can be triggered by specific front-matter delimiters (---js or ---javascript), allowing evaluation of front-matter contents as JavaScript. When user-supplied Markdown containing malicious JavaScript in the front-matter is processed, the converter executes that code. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 (Critical), with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Changed, and impact levels (confidentiality, integrity, availability) all rated as High (GitHub Advisory).

The vulnerability enables remote code execution in the process that performs Markdown-to-PDF conversion. If the converter is running in a web application or cloud service environment, an attacker could execute arbitrary commands on the host system by uploading malicious Markdown content. This poses a significant risk to system security and data integrity (GitHub Advisory).

The vulnerability has been patched in version 5.2.5 and later. Users should upgrade to the latest version immediately. The fix involves correctly overriding the JavaScript engine of gray-matter to prevent arbitrary code execution (GitHub Commit).