Critical Remote Code Execution Vulnerability in md-to-pdf via JavaScript Injection (CVE-2025-65108)
A critical vulnerability (CVE-2025-65108, CVSS 10.0) has been identified in the md-to-pdf tool, which is used to convert Markdown files to PDF using Node.js and headless Chrome. The flaw allows attackers to achieve remote code execution by injecting malicious JavaScript into the front-matter section of Markdown files, exploiting the way the gray-matter library parses these blocks. This vulnerability is remotely exploitable and poses a significant risk to any system processing untrusted Markdown files with affected versions of md-to-pdf.
The issue has been addressed in version 5.2.5 of the md-to-pdf library, and users are strongly advised to update to this version to mitigate the risk. No specific affected product versions are listed, but the vulnerability impacts all prior versions that use the vulnerable parsing mechanism. Security advisories have been published to highlight the severity and exploitation potential of this flaw, emphasizing the need for immediate remediation in environments where Markdown-to-PDF conversion is automated or exposed to user-supplied content.
Timeline
Nov 24, 2025
Public report details CVSS 10.0 RCE via Markdown front-matter injection
A subsequent public report described CVE-2025-65108 as a CVSS 10.0 issue that can lead to remote code execution through JavaScript injection in Markdown front matter. The available reporting did not include vendor remediation or exploitation details.
Nov 21, 2025
CVE-2025-65108 published for md-to-pdf JavaScript code execution flaw
A critical vulnerability, CVE-2025-65108, was published affecting md-to-pdf. The flaw allows arbitrary JavaScript code execution when parsing Markdown front matter.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Critical Local File Inclusion Vulnerability in jsPDF Library
A critical vulnerability, tracked as CVE-2025-68428, was discovered in the *jsPDF* library, which is widely used for generating PDFs in JavaScript applications. The flaw allows attackers to exploit local file inclusion and path traversal in the Node.js build of jsPDF by passing unsanitized paths to the `loadFile` method, potentially enabling unauthorized access to arbitrary files on the server. Other affected methods include `addImage`, `html`, and `addFont`, with the vulnerability present in the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The issue has been addressed in jsPDF version 4.0.0, which restricts file system access by default. The vulnerability is remotely exploitable and poses a significant risk to applications that allow user-controlled input to these methods. jsPDF recommends updating to version 4.0.0 or later and, for older Node.js versions, sanitizing user-provided paths before use. Additionally, Node.js environments should leverage the `--permission` flag to further restrict file system access. Organizations using jsPDF in server-side environments are urged to review their implementations and apply the necessary updates or mitigations to prevent potential data breaches or unauthorized file access.
1 months ago
RCE in next-mdx-remote When Server-Side Rendering Untrusted MDX
HashiCorp disclosed **HCSEC-2026-01** (tracked as **CVE-2026-0969** / **GHSA-g4xw-jxrg-5f6m**) affecting the *next-mdx-remote* library used by Next.js applications to render MDX content. The flaw can lead to **arbitrary code execution** when applications **server-side render untrusted MDX** due to insufficient sanitization in the `serialize` compilation path, particularly when JavaScript expressions in MDX are permitted; the issue is categorized as **CWE-94 (code injection)** and reported with a **CVSS 3.1 score of 8.8 (High)**. Guidance from the Canadian Centre for Cyber Security and third-party analysis both recommend updating affected deployments. Impacted versions are reported as **4.3.0 through 5.0.0** (Cyber Centre advisory) and **4.3.0 up to but not including 6.0.0** (Socket), with remediation available in **6.0.0**; the 6.0.0 release also changes defaults to reduce exposure by disabling JavaScript expressions by default (`blockJS: true`) and adding additional guardrails when dangerous JS is explicitly enabled (e.g., best-effort blocking of constructs like `eval`, `Function`, `process`, and `require`).
1 months ago
Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store) app, tracked as **CVE-2026-20841** (CVSS 8.8), caused by **command injection** (`CWE-77`) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped **Markdown (`.md`)** file in Notepad and clicks an embedded malicious link; the app can be coerced into launching **unverified protocols** that load and execute remote content, resulting in code execution in the **security context of the logged-in user** (potentially full compromise if the user has admin rights).
3 weeks ago