CVE-2022-25863

Public Exploit

Deserialization of Untrusted Data

Description

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

References

Link	Tags
https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699	third party advisory exploit
https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing	third party advisory exploit
https://github.com/gatsbyjs/gatsby/pull/35830	exploit third party advisory patch
https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-25863?: CVE-2022-25863 has been scored as a high severity vulnerability.
How to fix CVE-2022-25863?: To fix CVE-2022-25863, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-25863 being actively exploited in the wild?: It is possible that CVE-2022-25863 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-25863?: CVE-2022-25863 affects n/a gatsby-plugin-mdx.

Description

Category

CWE-502 – Deserialization of Untrusted Data

References

Frequently Asked Questions