GHSA-547r-qmjm-8hvw

Suggest an improvement
Source
https://github.com/advisories/GHSA-547r-qmjm-8hvw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-547r-qmjm-8hvw/GHSA-547r-qmjm-8hvw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-547r-qmjm-8hvw
Aliases
Published
2025-11-20T17:48:11Z
Modified
2025-11-25T19:48:40Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Details

Summary

A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution.

Details

md-to-pdf uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.

PoC

const { mdToPdf } = require('md-to-pdf');

var payload = '---javascript\n((require("child_process")).execSync("calc.exe"))\n---RCE';

(async () => {
    await mdToPdf({ content: payload }, { dest: './output.pdf'});
})();

Running the PoC on Windows launches the calculator application, demonstrating arbitrary code execution.

Impact

  • Remote code execution in the process that performs Markdown->PDF conversion.
  • If the converter is run in a web app or cloud service, an attacker uploading malicious Markdown can execute arbitrary commands on the
Database specific 
{
    "nvd_published_at": "2025-11-21T22:16:33Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2025-11-20T17:48:11Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

npm / md-to-pdf

Package

Name
md-to-pdf
View open source insights on deps.dev
Purl
pkg:npm/md-to-pdf

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-547r-qmjm-8hvw/GHSA-547r-qmjm-8hvw.json"