CVE-2021-23639

Remote Code Execution (RCE)

CVSS 9.8 CRITICALEPSS 5.3%

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · md-to-pdf

public PoCs found — 1

githubgithub.com/MohandAcherir/CVE-2021-23639★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a https://github.com/simonhaenisch/md-to-pdf/issues/99 https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880