CVE-2022-25863 (Critical) detected in gatsby-plugin-mdx-1.8.0.tgz

[mend-bolt-for-github[bot]]

CVE-2022-25863 - Critical Severity Vulnerability

Vulnerable Library - gatsby-plugin-mdx-1.8.0.tgz

MDX integration for Gatsby

Library home page: https://registry.npmjs.org/gatsby-plugin-mdx/-/gatsby-plugin-mdx-1.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/gatsby-plugin-mdx/package.json

Dependency Hierarchy: - docz-2.3.1.tgz (Root Library) - gatsby-theme-docz-2.3.1.tgz - :x: **gatsby-plugin-mdx-1.8.0.tgz** (Vulnerable Library)

Found in HEAD commit: 31b785aa95b9da2fafe70194de1f4d32021d7289

Found in base branch: master

Vulnerability Details

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

Publish Date: 2022-06-10

URL: CVE-2022-25863

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-mj46-r4gr-5x83

Release Date: 2022-06-10

Fix Resolution: gatsby-plugin-mdx - gatsby-plugin-mdx@2.14.1, gatsby-plugin-mdx@3.15.2

---

Step up your Open Source Security Game with Mend here