Publish GHSA-547r-qmjm-8hvw

advisory-database[bot] · advisory-database[bot] · commit 913c606e4704 · 2025-11-20T17:49:59.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-547r-qmjm-8hvw/GHSA-547r-qmjm-8hvw.json b/advisories/github-reviewed/2025/11/GHSA-547r-qmjm-8hvw/GHSA-547r-qmjm-8hvw.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-547r-qmjm-8hvw",
+  "modified": "2025-11-20T17:48:11Z",
+  "published": "2025-11-20T17:48:11Z",
+  "aliases": [],
+  "summary": "md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter",
+  "details": "### Summary\nA Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of **md-to-pdf** library, resulting in remote code execution.\n\n### Details\n**md-to-pdf** uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.\n\n\n### PoC\n```\nconst { mdToPdf } = require('md-to-pdf');\n\nvar payload = '---javascript\\n((require(\"child_process\")).execSync(\"calc.exe\"))\\n---RCE';\n\n(async () => {\n\tawait mdToPdf({ content: payload }, { dest: './output.pdf'});\n})();\n```\nRunning the PoC on Windows launches the calculator application, demonstrating arbitrary code execution.\n\n### Impact\n\n- Remote code execution in the process that performs Markdown->PDF conversion.\n- If the converter is run in a web app or cloud service, an attacker uploading malicious Markdown can execute arbitrary commands on the",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "md-to-pdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.2.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/simonhaenisch/md-to-pdf/security/advisories/GHSA-547r-qmjm-8hvw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/simonhaenisch/md-to-pdf/commit/46bdcf2051c8d1758b391c1353185a179a47a4d9"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/simonhaenisch/md-to-pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-20T17:48:11Z",
+    "nvd_published_at": null
+  }
+}
