Deserialization of Untrusted Data Affecting gatsby-plugin-mdx package, versions <2.14.1>=3.0.0 <3.15.2


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.79% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Deserialization of Untrusted Data vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-GATSBYPLUGINMDX-2405699
  • published6 Jun 2022
  • disclosed18 Feb 2022
  • creditFeng Xiao and Zhongfu Su

Introduced: 18 Feb 2022

CVE-2022-25863  (opens in a new tab)
CWE-502  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade gatsby-plugin-mdx to version 2.14.1, 3.15.2 or higher.

Overview

gatsby-plugin-mdx is a MDX integration for Gatsby

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL).

Workaround:

If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

Poc:

const mdxToJsx = require("gatsby-plugin-mdx/utils/mdx.js");

var payload = '---jsn((require("child_process")).execSync("touch rce"))';

mdxToJsx(payload);

CVSS Scores

version 3.1