CVE-2022-41709: Markdownify subject to Remote Code Execution via malicious markdown file

October 19, 2022 (updated May 8, 2025)

Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the “nodeIntegration” option enabled. There are currently no patched versions and no known workarounds.

References

fluidattacks.com/advisories/adams
github.com/advisories/GHSA-c942-mfmp-p4fh
github.com/amitmerchant1990/electron-markdownify
nvd.nist.gov/vuln/detail/CVE-2022-41709

Code Behaviors & Features

Detect and mitigate CVE-2022-41709 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →