Headline
CVE-2022-25863: fix(gatsby-plugin-mdx): don't allow JS frontmatter by default by pieh · Pull Request #35830 · gatsbyjs/gatsby
The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL).
Workaround:
If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.
Description
Currently gatsby-plugin-mdx by default supports the “JS engine” for frontmatter. The example syntax for it is:
---js
{
foo: require(`fs`).readFileSync('something', 'utf-8')
}
---
Your regular MDX body
This was never intended default behavior because in some cases it can open up an attack vector for remote code execution (on the build server). As long as sourced content is secure and actually owned by same party as site owner, this doesn’t cause problems, but we should be explicit with this, so we disable it by default with option to re-enable it (if someone actually relied on this unintended “feature”)
In new default mode ( JS frontmatter engine disabled), we will show warning if there is any content that use JS frontmatter that this will not be processed/executed:
Because this is security risk we will continously show warning as reminder that it might not be safe to use it (it’s not guaranteed it’s not safe - context matter a lot):
Documentation
Small stub added to README.md about new plugin option referencing not yet published advisory with some details - this could likely be made nicer, but for the sake if getting fix out, this will have to do for now.