Remote Code Execution Vulnerability in md-to-pdf from Simon Haenisch
CVE-2025-65108

10CRITICAL

Key Information:

Vendor

Simonhaenisch

Status
Md-to-PDF
Vendor
CVE Published:
21 November 2025

What is CVE-2025-65108?

CVE-2025-65108 is a remote code execution vulnerability identified in the md-to-pdf project by Simon Haenisch, which is a command-line interface (CLI) tool for converting Markdown files into PDF documents using Node.js combined with a headless version of Chrome. This vulnerability is primarily associated with the improper handling of Markdown front-matter that contains JavaScript delimiters. When users convert Markdown content that includes such front-matter, the underlying JavaScript engine in the gray-matter library can inadvertently execute arbitrary code, resulting in the potential for remote code execution. If an attacker were to exploit this vulnerability, they could gain unauthorized control over the application, leading to severe consequences for organizations relying on the md-to-pdf tool for document generation.

Potential impact of CVE-2025-65108

  1. Remote Code Execution: The most critical impact of CVE-2025-65108 is the ability for attackers to execute arbitrary code remotely. This allows them complete control over the affected system, potentially leading to data exfiltration, integrity breaches, or further compromise of connected infrastructure.

  2. Increased Attack Surface: Systems utilizing the md-to-pdf tool may become key targets due to this vulnerability. If exploited, attackers could manipulate the tool's functionality to distribute malware or gain a foothold within the organization’s network, increasing the overall attack surface.

  3. Compliance and Trust Issues: Organizations that suffer from successful exploits of this vulnerability may face compliance violations, particularly if sensitive data is involved. This can lead to reputational damage, loss of customer trust, and possible legal ramifications, emphasizing the need for robust security measures against such vulnerabilities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

md-to-pdf < 5.2.5

References

https://github.com/simonhaenisch/md-to-pdf/security/advis...
x_refsource_CONFIRM
https://github.com/simonhaenisch/md-to-pdf/commit/46bdcf2...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.