VYPR
← All advisories
Critical severity10.0OSV Advisory· Published Nov 21, 2025· Updated Apr 15, 2026

CVE-2025-65108

CVE-2025-65108

Description

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
md-to-pdfnpm
< 5.2.55.2.5

Affected products

1

Patches

1
46bdcf2051c8

fix: override the javascript engine of gray-matter correctly

https://github.com/simonhaenisch/md-to-pdfsimonhaenischNov 19, 2025via ghsa
commit
2 files changed · +12 2
  • src/lib/config.ts+1 1 modified
    @@ -27,7 +27,7 @@ export const defaultConfig: Config = {
 	launch_options: {},
 	gray_matter_options: {
 		engines: {
-			js: () =>
+			javascript: () =>
 				new Error(
 					'The JS engine for front-matter is disabled by default for security reasons. You can enable it by configuring gray_matter_options.',
 				),
  • src/test/api.spec.ts+11 1 modified
    @@ -91,7 +91,7 @@ test('compile the MathJax test', async (t) => {
 	t.regex(textContent, /a\s≠\s0/);
 });
 
-test('the JS engine is disabled by default', async (t) => {
+test('the JS engine with `js` tag is disabled by default', async (t) => {
 	const css = '`body::before { display: block; content: "${"i am injected"}"}`'; // eslint-disable-line no-template-curly-in-string
 
 	const pdf = await mdToPdf({ content: `---js\n{ css: ${css} }\n---` });
@@ -101,6 +101,16 @@ test('the JS engine is disabled by default', async (t) => {
 	t.is(textContent, '');
 });
 
+test('the JS engine with `javascript` tag is disabled by default', async (t) => {
+	const css = '`body::before { display: block; content: "${"i am injected"}"}`'; // eslint-disable-line no-template-curly-in-string
+
+	const pdf = await mdToPdf({ content: `---javascript\n{ css: ${css} }\n---` });
+
+	const textContent = await getPdfTextContent(pdf.content);
+
+	t.is(textContent, '');
+});
+
 test('the JS engine for front-matter can be enabled', async (t) => {
 	const css = '`body::before { display: block; content: "${"i am injected"}"}`'; // eslint-disable-line no-template-curly-in-string

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.