CVE-2023-0835
📋 TL;DR
CVE-2023-0835 is a path traversal vulnerability in markdown-pdf version 11.0.0 that allows attackers to read arbitrary local files by injecting malicious Markdown content. This affects any application or service using the vulnerable markdown-pdf package to convert user-supplied Markdown to PDF. Attackers can exploit this remotely without authentication.
💻 Affected Systems
- markdown-pdf
📦 What is this software?
Markdown Pdf by Markdown Pdf Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, configuration files, or credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive local files containing application secrets, configuration data, or user information stored on the server.
If Mitigated
Limited impact with proper input validation and file access restrictions in place, potentially only exposing non-sensitive files.
🎯 Exploit Status
Exploitation requires only the ability to submit Markdown content to the vulnerable application. The vulnerability is simple to exploit with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 11.0.1 or later
Vendor Advisory: https://www.npmjs.com/package/markdown-pdf
Restart Required: Yes
Instructions:
1. Update markdown-pdf to version 11.0.1 or later using npm update markdown-pdf. 2. Restart any services or applications using markdown-pdf. 3. Verify the update was successful by checking the package version.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject Markdown content containing file path references or suspicious patterns before processing.
File Access Restrictions
linuxRun the markdown-pdf process with restricted file system permissions using chroot, containers, or least-privilege user accounts.
🧯 If You Can't Patch
- Disable markdown-pdf functionality for untrusted users or implement a proxy service that sanitizes all input.
- Isolate the vulnerable service in a container or VM with minimal file system access and monitor for suspicious file read attempts.
🔍 How to Verify
Check if Vulnerable:
Check if markdown-pdf version 11.0.0 is installed by examining package.json or running npm list markdown-pdf.Check Version:
npm list markdown-pdfVerify Fix Applied:
Confirm markdown-pdf version is 11.0.1 or later using npm list markdown-pdf and test with known malicious Markdown payloads to ensure file access is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs, especially attempts to read sensitive system files or configuration files.
Network Indicators:
- Large or unusual PDF generation requests containing file path patterns in the Markdown content.
SIEM Query:
source="application_logs" AND ("markdown-pdf" OR "CVE-2023-0835") AND ("file read" OR "path traversal")