PT-2026-7809 · Unknown · Next-Mdx-Remote
Published
2026-02-12
·
Updated
2026-02-14
·
CVE-2026-0969
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
next-mdx-remote versions 4.3.0 through 5.0.0
Description
The
serialize function within next-mdx-remote does not adequately sanitize MDX content, leading to potential arbitrary code execution. This occurs when compiling MDX, particularly when server-side rendering untrusted MDX that includes JavaScript expressions. Exploitation could allow an attacker to execute code with server privileges. The issue affects systems utilizing Next.js or React server-side rendering.Recommendations
next-mdx-remote versions 4.3.0 through 5.0.0 should be upgraded to version 6.0.0 or later.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Next-Mdx-Remote