CVE-2021-23639

CRITICAL9.8EPSS 19.9%

Code Injection in md-to-pdf.

Published: 12/16/2021Modified: 3/13/2026

Description

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

Affected packages (1)

npm/md-to-pdffrom 0, < 5.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23639
PATCHhttps://github.com/simonhaenisch/md-to-pdf
WEBhttps://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
WEBhttps://github.com/simonhaenisch/md-to-pdf/issues/99
WEBhttps://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880