10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65108

CVE-2025-65108: md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter

Summary

A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution.

Details

md-to-pdf uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.

PoC

const { mdToPdf } = require('md-to-pdf');

var payload = '---javascript\n((require("child_process")).execSync("calc.exe"))\n---RCE';

(async () => {
	await mdToPdf({ content: payload }, { dest: './output.pdf'});
})();

Running the PoC on Windows launches the calculator application, demonstrating arbitrary code execution.

Impact

Remote code execution in the process that performs Markdown->PDF conversion.
If the converter is run in a web app or cloud service, an attacker uploading malicious Markdown can execute arbitrary commands on the

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65108

CVE-2025-65108:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
md-to-pdf	npm	< 5.2.5	5.2.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the md-to-pdf library because it fails to disable all JavaScript execution engines within its dependency, gray-matter. The library attempts to disable the JavaScript engine for front-matter by providing a custom engine configuration that throws an error. However, it only did so for the js language alias, while gray-matter also supports the javascript alias. An attacker could therefore craft a markdown document with a ---javascript front-matter block containing malicious code. When mdToPdf processes this markdown, gray-matter executes the code, leading to remote code execution on the server running the conversion. The patch corrects this by changing the configuration to disable the javascript engine, thus closing the code execution vector. The primary vulnerable function is mdToPdf as it is the entry point for the vulnerable operation.

Vulnerable functions

mdToPdf

src/lib/config.ts

The `mdToPdf` function is vulnerable because it uses the `gray-matter` library to parse front-matter without properly disabling the JavaScript engine. The patch shows that the configuration was updated to disable the `javascript` engine, which was previously not disabled, allowing for arbitrary code execution when parsing specially crafted markdown.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65108: md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter

Summary

Details

PoC

Impact

CVE-2025-65108:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-65108: md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter

Summary

Details

PoC

Impact

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

10

10

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI