Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Deserialization of Untrusted Data vulnerabilities in an interactive lesson.
Start learningUpgrade gatsby-plugin-mdx
to version 2.14.1, 3.15.2 or higher.
gatsby-plugin-mdx is a MDX integration for Gatsby
Affected versions of this package are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter
package, due to its default configurations that are missing input sanitization.
Exploiting this vulnerability is possible when passing input in both webpack
(MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL).
If an older version of gatsby-plugin-mdx
must be used, input passed into the plugin should be sanitized ahead of processing.
const mdxToJsx = require("gatsby-plugin-mdx/utils/mdx.js");
var payload = '---jsn((require("child_process")).execSync("touch rce"))';
mdxToJsx(payload);