VDB
KO
CRITICAL 9.8

GHSA-x949-7cm6-fm6p

Code Injection in md-to-pdf.

Details

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / md-to-pdf
Introduced in: 0 Fixed in: 5.0.0
Fix npm install md-to-pdf@5.0.0

References