Headline
GHSA-547r-qmjm-8hvw: md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Summary
A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution.
Details
md-to-pdf uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. —js or —javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.
PoC
const { mdToPdf } = require('md-to-pdf');
var payload = '---javascript\n((require("child_process")).execSync("calc.exe"))\n---RCE';
(async () => {
await mdToPdf({ content: payload }, { dest: './output.pdf'});
})();
Running the PoC on Windows launches the calculator application, demonstrating arbitrary code execution.
Impact
- Remote code execution in the process that performs Markdown->PDF conversion.
- If the converter is run in a web app or cloud service, an attacker uploading malicious Markdown can execute arbitrary commands on the
Summary
A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution.
Details
md-to-pdf uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. —js or —javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code.
PoC
const { mdToPdf } = require('md-to-pdf');
var payload = '---javascript\n((require("child_process")).execSync("calc.exe"))\n---RCE';
(async () => {
await mdToPdf({ content: payload }, { dest: './output.pdf'});
})();
Running the PoC on Windows launches the calculator application, demonstrating arbitrary code execution.
Impact
- Remote code execution in the process that performs Markdown->PDF conversion.
- If the converter is run in a web app or cloud service, an attacker uploading malicious Markdown can execute arbitrary commands on the
References
- GHSA-547r-qmjm-8hvw
- simonhaenisch/md-to-pdf@46bdcf2
Related news
If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and