md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

Markdown To Pdf 代码注入漏洞

Markdown To Pdf是德国Simon Hanisch个人开发者的一个简单且可破解的 Cli 工具。用于将 Markdown 转换为 pdf。 Markdown To Pdf 5.2.5之前版本存在代码注入漏洞，该漏洞源于Markdown前端块处理不当，可能导致远程代码执行。

N/A

N/A