Critical Markdown to PDF Flaw (CVE-2025-65108, CVSS 10.0) Allows RCE via JS Injection in Markdown Front-Matter

Estimated reading time: 10 minutes

Key Takeaways:

  • A critical vulnerability (CVE-2025-65108) in the `md-to-pdf` npm package allows for remote code execution (RCE).
  • The vulnerability is triggered by JavaScript injection within the Markdown front-matter.
  • Mitigation involves updating to version 5.2.5 or higher, input validation, and implementing a Content Security Policy (CSP).
  • This highlights the importance of supply chain security and continuous monitoring for emerging threats.

Table of Contents:

A critical vulnerability, CVE-2025-65108 (CVSS score of 10.0), has been identified in the widely used `md-to-pdf` npm package. This flaw allows for remote code execution (RCE) via JavaScript injection within the Markdown front-matter. Given the package’s popularity, with over 47,000 weekly downloads, any application, build system, or cloud service utilizing this package to process untrusted Markdown content faces a significant risk. This poses a serious concern for supply-chain risk monitoring and underscores the importance of real-time ransomware intelligence to safeguard against potential exploits.

Understanding the Vulnerability

The vulnerability centers on the `md-to-pdf` package, a command-line tool designed to convert Markdown files to PDF format. According to the advisory, a Markdown front-matter block containing a JavaScript delimiter triggers the JavaScript engine within the `gray-matter` library to execute arbitrary code during the conversion process. The advisory explicitly states: *”A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process […] If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.”*

In essence, if user-provided Markdown content is processed by `md-to-pdf`, and the front-matter includes malicious JavaScript, the converter process will execute that code, potentially leading to a full system compromise. This highlights the need for continuous breach detection and brand leak alerting.

Technical Deep Dive

The root cause of CVE-2025-65108 lies in how the `md-to-pdf` package utilizes the `gray-matter` library to parse YAML/JSON front-matter blocks within Markdown files. The `gray-matter` library includes an optional JavaScript evaluation mode, which is typically disabled. However, this mode automatically activates when specific delimiters, such as `–js` or `–javascript`, are present in the front-matter.

Attackers can exploit this behavior by embedding malicious JavaScript code directly into the Markdown file’s front-matter. By including the JavaScript delimiters, they can trick the `gray-matter` library into executing the injected code during the Markdown to PDF conversion process. This transforms what appears to be a harmless document upload into a severe security vulnerability. This can be monitored using a cyber threat intelligence platform.

Proof of Concept

The advisory includes a proof-of-concept (PoC) demonstrating the severity of the vulnerability. The PoC manipulates the front-matter to execute arbitrary operating system commands:

This code snippet illustrates how an attacker can use the vulnerability to execute the `calc.exe` program (or any other arbitrary command) on the system running the `md-to-pdf` converter. The implication is that any server, CI/CD pipeline, or desktop tool that converts Markdown to PDF is susceptible to exploitation simply by processing a malicious Markdown file. Such threats can be detected and prevented using a combination of live ransomware API feeds and proactive security measures.

Impact Assessment

The impact of CVE-2025-65108 is substantial, particularly for organizations that rely on `md-to-pdf` for automated document processing. The ability to execute arbitrary code on a system through a seemingly innocuous file conversion process can lead to various malicious outcomes, including:

  • Data exfiltration: Attackers could steal sensitive data stored on the compromised system.
  • System compromise: The entire system could be taken over, allowing the attacker to install malware, create backdoors, or launch further attacks against the network.
  • Supply chain attacks: If the compromised system is part of a CI/CD pipeline, attackers could inject malicious code into software builds, leading to widespread distribution of malware.
  • Denial of service: Attackers could crash the system or render it unusable, disrupting business operations.

The wide usage of the `md-to-pdf` package amplifies the potential impact. Many organizations are unaware of the risks associated with processing untrusted Markdown files, making them vulnerable to exploitation. Monitoring underground forum intelligence and dark web monitoring service can provide early warnings of potential attacks leveraging this vulnerability.

Mitigation Strategies

The most immediate and effective mitigation strategy is to update the `md-to-pdf` package to version 5.2.5 or higher. This version contains a patch that addresses the vulnerability by disabling the JavaScript evaluation mode in `gray-matter` by default.

However, updating the package is not always sufficient. Organizations should also implement the following security measures to reduce their attack surface:

  • Input validation: Sanitize and validate all Markdown input to prevent the injection of malicious code.
  • Content Security Policy (CSP): Implement CSP to restrict the execution of JavaScript code within the application.
  • Least privilege: Run the `md-to-pdf` converter with the least privileges necessary to perform its function.
  • Regular security audits: Conduct regular security audits to identify and address potential vulnerabilities in the application and its dependencies.
  • Endpoint detection and response (EDR): Deploy EDR solutions to detect and respond to malicious activity on endpoints.

Implications for Supply Chain Security

CVE-2025-65108 underscores the importance of supply chain security. Organizations must be aware of the risks associated with using third-party libraries and dependencies, and they must take steps to mitigate those risks. Supply-chain risk monitoring is crucial to identify and address vulnerabilities in the software supply chain before they can be exploited.

This vulnerability highlights the need for a comprehensive approach to supply chain security, including:

  • Software composition analysis (SCA): Use SCA tools to identify and track all third-party components used in the application.
  • Vulnerability scanning: Regularly scan the application and its dependencies for known vulnerabilities.
  • Dependency management: Implement a robust dependency management process to ensure that all dependencies are up-to-date and secure.
  • Supplier risk management: Assess the security posture of suppliers and ensure that they have adequate security controls in place.

Practical Takeaways

For Technical Readers:

  • Immediately update `md-to-pdf` to version 5.2.5 or later.
  • Implement strict input validation for all Markdown content.
  • Enforce a Content Security Policy (CSP) to limit JavaScript execution.
  • Regularly scan dependencies for vulnerabilities using SCA tools.
  • Monitor network traffic for suspicious activity related to `md-to-pdf` processes.

For Non-Technical Readers (Business Leaders):

  • Understand the potential risks associated with using third-party software.
  • Ensure that your organization has a robust supply chain security program in place.
  • Allocate resources for security audits and vulnerability assessments.
  • Promote a culture of security awareness throughout the organization.
  • Verify that security teams utilize the latest tools, such as cyber threat intelligence platforms and dark web monitoring services, to stay ahead of emerging threats.

PurpleOps and Vulnerability Management

PurpleOps is dedicated to providing comprehensive cybersecurity solutions, including cyber threat intelligence platform and real-time ransomware intelligence, to help organizations proactively manage vulnerabilities and mitigate risks. Our services encompass:

  • Cyber Threat Intelligence: We offer detailed intelligence on emerging threats, including vulnerabilities like CVE-2025-65108, enabling informed decision-making and proactive defense strategies.
  • Dark Web Monitoring: Our dark web monitoring service helps identify potential threats and data leaks related to your organization. This includes monitoring for discussions about exploiting vulnerabilities like CVE-2025-65108 on underground forums.
  • Supply Chain Information Security: PurpleOps assists in assessing and managing the security risks associated with your supply chain, ensuring that your vendors and partners adhere to stringent security standards.
  • Breach Detection: Using state-of-the-art technology, PurpleOps is able to quickly detect breaches and alert the customer.

CVE-2025-65108 serves as a reminder of the ever-present need for proactive security measures and continuous monitoring. By staying informed, implementing robust security controls, and leveraging the expertise of cybersecurity providers like PurpleOps, organizations can effectively defend against emerging threats and protect their critical assets.

To learn more about how PurpleOps can help you strengthen your cybersecurity posture, please explore our services at PurpleOps Solutions or contact us for more information.

FAQ

What is CVE-2025-65108?
CVE-2025-65108 is a critical vulnerability in the `md-to-pdf` npm package that allows for remote code execution (RCE) via JavaScript injection in Markdown front-matter.

How can I mitigate this vulnerability?
Update the `md-to-pdf` package to version 5.2.5 or higher, implement input validation, and enforce a Content Security Policy (CSP).

Why is supply chain security important?
Supply chain security is crucial because vulnerabilities in third-party libraries and dependencies can be exploited to compromise your systems and data.