CRITICAL 9.8
GHSA-x949-7cm6-fm6p
Code Injection in md-to-pdf.
Details
The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-23639 [ADVISORY]
- https://github.com/simonhaenisch/md-to-pdf/issues/99 [WEB]
- https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a [WEB]
- https://github.com/simonhaenisch/md-to-pdf [PACKAGE]
- https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880 [WEB]