Description
The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.
Remediation
References
https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
https://github.com/simonhaenisch/md-to-pdf/issues/99
https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Related Vulnerabilities
CVE-2021-23363 Vulnerability in npm package kill-by-port
CVE-2020-1960 Vulnerability in maven package org.apache.flink:flink-metrics-core
CVE-2015-1427 Vulnerability in maven package org.elasticsearch:elasticsearch
CVE-2021-32854 Vulnerability in maven package org.webjars.bower:textangular
CVE-2022-35204 Vulnerability in maven package org.webjars.npm:vite