CVE-2022-25863

Published: Jun 10, 2022

Modified: Sep 17, 2024

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

Vendor	Product	Versions
n/a	gatsby-plugin-mdx	affected `unspecified - < 2.14.1` affected `3.0.0 - < unspecified` affected `unspecified - < 3.15.2`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699

x_refsource_MISC

https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing

x_refsource_MISC

https://github.com/gatsbyjs/gatsby/pull/35830

x_refsource_MISC

https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-25863

Description

Affected Products

CVSS v3.1 Details

References