CVE-2025-65108 – md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

CVE ID : CVE-2025-65108

Published : Nov. 21, 2025, 10:16 p.m. | 59 minutes ago

Description : md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5.

Severity: 10.0 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…