CVE-2025-65108

CVE-2025-65108 is a remote code execution vulnerability in the md-to-pdf CLI tool, which converts Markdown files to PDF using Node.js and headless Chrome. The issue affects versions prior to 5.2.5 and stems from the gray-matter library's JavaScript engine executing arbitrary code when processing a Markdown front-matter block containing a JavaScript delimiter. This flaw, classified under CWE-94 (code injection), carries a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impact across confidentiality, integrity, and availability with scope change.

Attackers can exploit this vulnerability by supplying a malicious Markdown file to a victim using the affected md-to-pdf versions. No authentication or privileges are needed, and exploitation requires only that the tool process the file, leading to arbitrary code execution within the converter process. This enables full system compromise on the host running md-to-pdf, such as data theft, persistence, or further lateral movement.

The vulnerability has been patched in md-to-pdf version 5.2.5. The GitHub security advisory (GHSA-547r-qmjm-8hvw) and the patching commit (46bdcf2051c8d1758b391c1353185a179a47a4d9) detail the fix, recommending immediate upgrades for all users of the tool.