Description
The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.
Remediation
References
https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
https://github.com/simonhaenisch/md-to-pdf/issues/99
https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Related Vulnerabilities
CVE-2022-41777 Vulnerability in npm package nadesiko3
CVE-2021-21388 Vulnerability in npm package systeminformation
CVE-2022-29252 Vulnerability in maven package org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
CVE-2021-23555 Vulnerability in npm package vm2
CVE-2021-46708 Vulnerability in maven package org.webjars:swagger-ui