Cybersecurity Vulnerabilities

Critical Vulnerability in md-to-pdf: CVE-2025-65108 Allows Remote Code Execution

November 22, 2025 - By 

Overview

CVE-2025-65108 is a critical security vulnerability affecting md-to-pdf, a command-line tool used for converting Markdown files to PDF using Node.js and headless Chrome. This vulnerability allows for remote code execution (RCE) due to unsanitized processing of JavaScript delimiters within Markdown front-matter blocks.

The vulnerability existed in versions prior to 5.2.5. An attacker could craft a malicious Markdown file containing a specifically crafted front-matter block, which when processed by md-to-pdf, would lead to arbitrary code execution on the system running the tool.

Technical Details

The vulnerability stems from the use of the gray-matter library for parsing Markdown front-matter. Prior to the patch, the gray-matter library would execute JavaScript code embedded within the front-matter block when certain delimiters were used. An attacker can leverage this behavior to inject malicious JavaScript code into the front-matter of a Markdown file. When `md-to-pdf` processes this file, the injected JavaScript is executed, potentially leading to full system compromise.

Specifically, the issue resides in the way gray-matter handles the execution context within the front-matter parsing process. By crafting a specific payload, attackers could bypass security measures and gain control over the execution environment.

CVSS Analysis

  • CVE ID: CVE-2025-65108
  • Severity: CRITICAL
  • CVSS Score: 10.0

A CVSS score of 10.0 indicates the highest level of severity. This vulnerability is remotely exploitable, requires no user interaction, and can lead to complete compromise of the affected system. This warrants immediate attention and remediation.

Possible Impact

Successful exploitation of CVE-2025-65108 can have severe consequences, including:

  • Remote Code Execution (RCE): An attacker can execute arbitrary code on the server or workstation running md-to-pdf.
  • Data Breach: Sensitive data accessible to the compromised process could be stolen.
  • System Compromise: The entire system could be taken over by the attacker.
  • Supply Chain Attacks: If md-to-pdf is used as part of an automated build process, malicious Markdown files could be injected to compromise the entire chain.

Mitigation and Patch Steps

The vulnerability has been patched in md-to-pdf version 5.2.5. The recommended mitigation step is to immediately upgrade to this version or a later version.

  1. Update md-to-pdf: Use npm to update to the latest version: npm install -g md-to-pdf@latest
  2. Verify Version: After the update, verify that you are running version 5.2.5 or later. Use the command md-to-pdf --version.
  3. Review Input Sources: If possible, review the sources of your Markdown files to ensure they are trusted. Consider implementing additional input validation to detect and prevent malicious content.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *