Description
The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.
Remediation
References
https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
https://github.com/simonhaenisch/md-to-pdf/issues/99
Related Vulnerabilities
CVE-2019-10781 Vulnerability in npm package schema-inspector
CVE-2018-1307 Vulnerability in maven package org.apache.juddi:juddi-client
CVE-2020-28460 Vulnerability in npm package multi-ini
CVE-2022-43416 Vulnerability in maven package org.jenkins-ci.plugins:katalon
CVE-2021-24033 Vulnerability in maven package org.webjars.npm:react-dev-utils