Description
The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.
Remediation
References
https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
https://github.com/simonhaenisch/md-to-pdf/issues/99
https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Related Vulnerabilities
CVE-2020-27543 Vulnerability in npm package restify-paginate
CVE-2022-36599 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2022-40150 Vulnerability in maven package org.codehaus.jettison:jettison
CVE-2019-5484 Vulnerability in maven package org.webjars.npm:bower
CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-hbase_2-client-service