The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.
CVE-2022-25863 - Critical Severity Vulnerability
Vulnerable Library - gatsby-plugin-mdx-1.8.0.tgz
MDX integration for Gatsby
Library home page: https://registry.npmjs.org/gatsby-plugin-mdx/-/gatsby-plugin-mdx-1.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/gatsby-plugin-mdx/package.json
Dependency Hierarchy: - docz-2.3.1.tgz (Root Library) - gatsby-theme-docz-2.3.1.tgz - :x: **gatsby-plugin-mdx-1.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: 31b785aa95b9da2fafe70194de1f4d32021d7289
Found in base branch: master
Vulnerability Details
The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.
Publish Date: 2022-06-10
URL: CVE-2022-25863
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-mj46-r4gr-5x83
Release Date: 2022-06-10
Fix Resolution: gatsby-plugin-mdx - gatsby-plugin-mdx@2.14.1, gatsby-plugin-mdx@3.15.2
Step up your Open Source Security Game with Mend here