腾讯网

高危Markdown转PDF漏洞可通过Markdown前置元数据实现JS注入攻击(CVSS 10.0)

2025年11月24日,广受欢迎的npm包md-to-pdf(每周下载量超47,000次的命令行工具)曝出高危漏洞(CVE-2025-65108)。该漏洞获得CVSS满分10分评级,攻击者可通过恶意前置元数据解析执行任意JavaScript代码。任何使用该包处理不可信Markdown内容的应用程序、构建系统或云服务均面临严重风险。
TWCN Tech News

How to disable JavaScript from running in Firefox PDF documents

Now, the ability to turn off JavaScript in PDF documents is effortless to get done, though not as straightforward as we would like. That is because the ability to disable JavaScript is not available ...