The vulnerability identified as CVE-2025-65108 affects the md-to-pdf CLI tool, which converts Markdown files to PDF using Node.js and headless Chrome. The root cause is an improper control of code generation (CWE-94) within the gray-matter library that md-to-pdf relies on to parse Markdown front-matter. Specifically, if a Markdown front-matter block contains JavaScript delimiters, the gray-matter library's JavaScript engine executes this code during the conversion process. This leads to remote code execution (RCE) within the context of the md-to-pdf process. The vulnerability is exploitable remotely without any authentication or user interaction, making it highly dangerous. The CVSS v3.1 score is 10.0, indicating critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The issue was patched in md-to-pdf version 5.2.5, which disables or properly sanitizes the execution of JavaScript code in front-matter. No public exploits or active exploitation have been reported yet, but the severity and ease of exploitation make this a high-priority vulnerability for remediation.

For European organizations, this vulnerability poses a severe risk, especially for those that utilize md-to-pdf in automated document processing pipelines or web services that convert user-submitted Markdown files to PDF. An attacker could craft malicious Markdown files containing JavaScript code in the front-matter, leading to arbitrary code execution on the server or endpoint running md-to-pdf. This can result in full system compromise, data theft, service disruption, or lateral movement within the network. Organizations in sectors such as publishing, software development, education, and any industry relying on automated document generation are particularly vulnerable. The critical nature of the flaw means that even a single vulnerable instance exposed to untrusted input could lead to significant breaches. Additionally, the vulnerability's exploitation could undermine trust in document integrity and confidentiality, impacting compliance with European data protection regulations like GDPR.

The primary and most effective mitigation is to upgrade md-to-pdf to version 5.2.5 or later, where the vulnerability has been patched. Organizations should audit their environments to identify all instances of md-to-pdf and verify the version in use. For environments where immediate upgrade is not feasible, implement strict input validation and sanitization on all Markdown files before processing, specifically filtering out or escaping JavaScript delimiters in front-matter blocks. Employ network segmentation and least privilege principles to limit the impact of potential exploitation. Additionally, monitor logs for unusual activity related to md-to-pdf processes and consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to detect anomalous behavior. Finally, educate developers and system administrators about the risks of processing untrusted Markdown content and enforce secure coding and deployment practices.