{"url":"http://public2.vulnerablecode.io/api/packages/324520?format=json","purl":"pkg:npm/gatsby-plugin-mdx@3.0.0","type":"npm","namespace":"","name":"gatsby-plugin-mdx","version":"3.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.15.2","latest_non_vulnerable_version":"3.15.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52657?format=json","vulnerability_id":"VCID-wqbj-mvxn-xbgd","summary":"Unsanitized JavaScript code injection possible in gatsby-plugin-mdx\n### Impact\nThe gatsby-plugin-mdx plugin prior to versions 3.15.2 and 2.14.1 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized.  The vulnerability is present when passing input in both webpack (MDX files in `src/pages` or MDX file imported as component in frontend / React code) and data mode (querying MDX nodes via GraphQL).  Injected JavaScript executes in the context of the build server.\n\nTo exploit this vulnerability untrusted/unsanitized input would need to be sourced or added into an MDX file.  The following MDX payload demonstrates a vulnerable configuration:\n```\n---js\n((require(\"child_process\")).execSync(\"id >> /tmp/rce\"))\n--- \n```\n\n### Patches\nA patch has been introduced in `gatsby-plugin-mdx@3.15.2` and `gatsby-plugin-mdx@2.14.1` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine.  The patch introduces a new option, `JSFrontmatterEngine` which is set to `false` by default.  When setting `JSFrontmatterEngine` to `true`, input passed to `gatsby-plugin-mdx` must be sanitized before processing to avoid a security risk.  Warnings are displayed when enabling `JSFrontmatterEngine` to `true` or if it appears that the MDX input is attempting to use the Frontmatter engine.\n\n### Workarounds\nIf an older version of `gatsby-plugin-mdx` must be used, input passed into the plugin should be sanitized ahead of processing.\n\n**We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.**\n\n### Credits\nWe would like to thank Snyk [snyk.io] for initially bringing the issue to our attention, as well as Feng Xiao and Zhongfu Su, who reported the issue to Snyk.\n\n### For more information\nEmail us at [security@gatsbyjs.com](mailto:security@gatsbyjs.com).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25863","reference_id":"","reference_type":"","scores":[{"value":"0.00712","scoring_system":"epss","scoring_elements":"0.72614","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25863"},{"reference_url":"https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing"},{"reference_url":"https://github.com/gatsbyjs/gatsby","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gatsbyjs/gatsby"},{"reference_url":"https://github.com/gatsbyjs/gatsby/pull/35830","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gatsbyjs/gatsby/pull/35830"},{"reference_url":"https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e"},{"reference_url":"https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-mj46-r4gr-5x83","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-mj46-r4gr-5x83"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25863","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25863"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699"},{"reference_url":"https://github.com/advisories/GHSA-mj46-r4gr-5x83","reference_id":"GHSA-mj46-r4gr-5x83","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj46-r4gr-5x83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/89104?format=json","purl":"pkg:npm/gatsby-plugin-mdx@3.15.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/gatsby-plugin-mdx@3.15.2"}],"aliases":["CVE-2022-25863","GHSA-mj46-r4gr-5x83"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wqbj-mvxn-xbgd"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/gatsby-plugin-mdx@3.0.0"}