A critical remote code execution vulnerability has been identified in the md-to-pdf library, a tool used for converting Markdown files to PDFs. An attacker can exploit this vulnerability by crafting a special Markdown file which, when processed, executes malicious code on the server, potentially leading to a full system compromise. Organizations using any product that incorporates this library must take immediate action to prevent unauthorized access and data breaches.

The vulnerability exists in the way the md-to-pdf library processes Markdown front-matter using its gray-matter dependency. An attacker can craft a Markdown file with a specially formatted front-matter block containing JavaScript delimiters and arbitrary code. When the vulnerable application attempts to convert this malicious file to a PDF, the JavaScript engine within the gray-matter library is tricked into executing the embedded code with the full permissions of the converter process, resulting in unauthenticated remote code execution (RCE) on the host system.

This vulnerability is rated as critical severity with a CVSS score of 10.0, reflecting the highest possible risk. Successful exploitation could lead to a complete compromise of the affected server's confidentiality, integrity, and availability. An attacker could steal sensitive data, install ransomware, deploy persistent backdoors, manipulate critical information, or use the compromised system as a pivot point to attack other internal network resources. The potential business impact includes major data breaches, significant financial loss, operational disruption, and severe reputational damage.

Immediate Action: Immediately update all instances of affected products to the latest patched versions as recommended by the respective vendors. The vulnerability is patched in md-to-pdf version 5.2.5 and later. Following the update, monitor systems for any signs of exploitation and thoroughly review access and application logs for suspicious activity that occurred prior to patching.

Proactive Monitoring:

• Monitor for unusual child processes being spawned by Node.js or any process associated with the Markdown conversion service.
• Implement file integrity monitoring on application servers to detect unauthorized changes.
• Review application logs for attempts to process Markdown files containing suspicious front-matter, such as those with script tags or unusual delimiters (---js).
• Monitor for unexpected outbound network connections from servers running the conversion tool, as this could indicate a successful compromise.

Compensating Controls:

• Input Sanitization: If immediate patching is not feasible, implement a pre-processing step to scan, validate, and sanitize all uploaded or processed Markdown files, specifically stripping or rejecting any front-matter that contains executable code blocks.
• Sandboxing: Run the file conversion process in a minimal-privilege, isolated sandbox environment (e.g., a Docker container) with restricted file system access and no network connectivity to limit the potential impact of a compromise.
• Network Segmentation: Isolate the server or service performing the conversions from critical corporate networks and sensitive data stores to contain any potential breach.

Public Exploit Available: False

This vulnerability represents a critical and immediate risk to the organization, allowing for unauthenticated remote code execution via the processing of a single malicious file. Due to its CVSS score of 10.0, immediate patching is the highest priority. All system owners must identify and update affected products without delay. Although this vulnerability is not currently on the CISA KEV list, its severity warrants treating it with the same level of urgency as a known exploited vulnerability.