CVE-2021-23639

CRITICAL9.8EPSS 19.9%

Code Injection in md-to-pdf.

發布日:2021/12/16修改日:2026/3/13

描述

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

受影響套件(1)

npm/md-to-pdffrom 0, < 5.0.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23639
PATCHhttps://github.com/simonhaenisch/md-to-pdf
WEBhttps://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
WEBhttps://github.com/simonhaenisch/md-to-pdf/issues/99
WEBhttps://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880