CVE-2025-65108 — AI Deep Analysis Summary

🚨 **Essence**: A critical **Code Injection** flaw in `md-to-pdf`. 📄 The tool mishandles Markdown front-matter blocks.…

🛡️ **Root Cause**: **CWE-94** (Code Injection). 🐛 The flaw lies in improper handling of **Markdown front-end blocks**. The parser fails to sanitize inputs, allowing arbitrary code injection during the conversion process.

👥 **Affected**: Users of **Simon Haenisch's** `md-to-pdf` tool. 📉 **Version**: All versions **prior to 5.2.5**. 🇩🇪 Developed by a German individual developer. ⚠️ If you use this CLI tool, you are at risk.

💀 **Attacker Capabilities**: Full **Remote Code Execution**. 🌐 **Privileges**: High (CVSS Score indicates Critical impact). 📊 **Impact**: Complete compromise of Confidentiality, Integrity, and Availability.…

🔓 **Exploitation Threshold**: **LOW**. 🚫 **Auth**: None required (PR:N). 🌍 **Vector**: Network (AV:N). 👁️ **UI**: None required (UI:N). 🎯 **Complexity**: Low (AC:L). This is an easy target for automated attacks.

📜 **Public Exploit**: **No** public PoC or wild exploitation detected yet. 🕵️‍♂️ **Status**: References point to GitHub commits and security advisories (GHSA-547r-qmjm-8hvw).…

🔍 **Self-Check**: Check your `md-to-pdf` version. 📋 Run `md-to-pdf --version`. 🚩 If version < **5.2.5**, you are vulnerable. 🧪 Scan for CLI tools using this specific package name in your environment.

✅ **Official Fix**: **YES**. 🩹 **Patch**: Update to version **5.2.5** or later. 🔗 **Source**: GitHub Commit `46bdcf2051c8d1758b391c1353185a179a47a4d9`. 📅 Published: Nov 21, 2025.

🚧 **No Patch Workaround**: If you cannot update immediately, **disable** the tool. 🚫 Do not process untrusted Markdown files. 🛑 Treat any input with front-matter blocks as malicious.…

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Vector: `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`. ⚡ High impact + Low effort = Immediate action required. 🏃‍♂️ Patch now to prevent potential RCE.