Improper Control of Generation of Code ('Code Injection')
The package md-to-pdf is vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.
Advisories for Npm/Markdown_to_pdf package
2021