Versions of `markdown-pdf` prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file. This may allow attackers to execute Remote Code.

## Recommendation

Upgrade to version 9.0.0 or later.

Affected Packages

npm markdown-pdf

Affected versions: 0 (fixed in 9.0.0)

Related CVEs

CVE-2018-3770

Key Information

GHSA ID

GHSA-p7c9-jqhq-vr3v

Published

July 27, 2018 5:03 PM

Last Modified

March 1, 2023 1:36 AM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

markdown-pdf

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.