CVE-2025-65108
📋 TL;DR
CVE-2025-65108 is a critical remote code execution vulnerability in md-to-pdf, a Node.js tool for converting Markdown to PDF. Attackers can execute arbitrary code by crafting malicious Markdown files with JavaScript in front-matter blocks. Anyone using md-to-pdf versions before 5.2.5 to process untrusted Markdown files is affected.
💻 Affected Systems
- md-to-pdf
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the server running md-to-pdf, allowing attackers to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.
Likely Case
Remote code execution on systems processing untrusted Markdown files, potentially leading to data theft, service disruption, or further network compromise.
If Mitigated
Limited impact if only processing trusted Markdown files with proper input validation and sandboxing in place.
🎯 Exploit Status
Exploitation requires only a malicious Markdown file. The vulnerability is in the gray-matter dependency's JavaScript parsing engine.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.5
Vendor Advisory: https://github.com/simonhaenisch/md-to-pdf/security/advisories/GHSA-547r-qmjm-8hvw
Restart Required: No
Instructions:
1. Update md-to-pdf to version 5.2.5 or later using npm: npm update md-to-pdf
2. Verify the update with: npm list md-to-pdf
3. Test PDF conversion functionality after update.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to reject Markdown files containing JavaScript code in front-matter blocks.
Sandbox execution environment
allRun md-to-pdf in a containerized or isolated environment with minimal privileges to limit potential damage from exploitation.
🧯 If You Can't Patch
- Discontinue processing untrusted Markdown files with vulnerable versions
- Implement network segmentation to isolate md-to-pdf instances from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check md-to-pdf version with: npm list md-to-pdf | grep md-to-pdf. If version is below 5.2.5, system is vulnerable.Check Version:
npm list md-to-pdf | grep md-to-pdfVerify Fix Applied:
After updating, verify version is 5.2.5 or higher with: npm list md-to-pdf. Test conversion with known safe Markdown files.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Node.js context
- Failed PDF conversion attempts with error messages
- Unexpected system commands executed
Network Indicators:
- Outbound connections from md-to-pdf process to unexpected destinations
- Command and control traffic patterns
SIEM Query:
process.name:node AND (process.args:*md-to-pdf* OR process.args:*gray-matter*) AND (process.args:*exec* OR process.args:*spawn* OR process.args:*child_process*)