CVE-2026-0969
Arbitrary Code Execution in next-mdx-remote MDX Serialization
Publication date: 2026-02-12
Last updated on: 2026-02-12
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | next-mdx-remote | From 4.3.0 (inc) to 5.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0969 is an arbitrary code execution vulnerability in the next-mdx-remote library, specifically affecting versions from 4.3.0 up to 5.0.0.
The issue arises from the serialize function used to compile MDX content, which lacks sufficient sanitization when processing untrusted MDX input containing JavaScript expressions.
This flaw can lead to remote code execution (RCE) on the server side because dangerous JavaScript operations such as eval, Function constructor, process, require, and other global objects are not properly filtered.
next-mdx-remote is a TypeScript library that enables dynamic rendering of MDX content on both client and server environments.
How can this vulnerability impact me? :
If you use next-mdx-remote versions 4.3.0 to 5.0.0 in server environments that accept untrusted MDX content with enabled JavaScript expressions, an attacker can exploit this vulnerability to execute arbitrary code on your server.
This can lead to full compromise of the server, including unauthorized access, data theft, or disruption of services.
To mitigate this risk, upgrading to version 6.0.0 or later is recommended, where JavaScript expressions are disabled by default and additional protections against dangerous JavaScript operations are enabled.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying usage of the next-mdx-remote library versions from 4.3.0 up to 5.0.0 in your environment, especially where untrusted MDX content is processed with JavaScript expressions enabled.'}, {'type': 'paragraph', 'content': 'You can check the installed version of next-mdx-remote in your project by running the following command in your project directory:'}, {'type': 'list_item', 'content': 'npm list next-mdx-remote'}, {'type': 'paragraph', 'content': 'Additionally, to detect if your code uses the vulnerable serialize function with JavaScript expressions enabled, you can search your codebase for usage patterns like:'}, {'type': 'list_item', 'content': "grep -r 'serialize(' ./"}, {'type': 'list_item', 'content': 'and check if the option `blockJS` is set to false or not set at all.'}, {'type': 'paragraph', 'content': 'Since this vulnerability is related to server-side rendering of untrusted MDX content, monitoring logs for suspicious execution or unexpected code execution patterns may also help in detection.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the next-mdx-remote library to version 6.0.0 or later, where JavaScript expressions are disabled by default via the `blockJS: true` option.
If you need to enable JavaScript expressions (`blockJS: false`), ensure that the `blockDangerousJS: true` option is also enabled to provide best-effort protection against dangerous JavaScript operations that could lead to arbitrary code execution.
Additionally, avoid processing untrusted MDX content with JavaScript expressions enabled, or sanitize and validate all MDX input before rendering.