CVE-2025-65108 CRITICAL

CVE-2025-65108: md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

Vendor Simonhaenisch

Product md-to-pdf

Weakness CWE-94 · Code injection

Published November 21, 2025

Last update November 24, 2025

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

Description

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5.

Key dates

Disclosure timeline

November 21, 2025 CVE published

November 24, 2025 Record updated