Critical severity10.0OSV Advisory· Published Nov 21, 2025· Updated Apr 15, 2026
CVE-2025-65108
CVE-2025-65108
Description
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
md-to-pdfnpm | < 5.2.5 | 5.2.5 |
Affected products
2- Range: v1.1.0, v1.2.0, v1.2.1, …
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.