Description
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
Published: 2026-02-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

The serialize function used to compile MDX in the next-mdx-remote library lacks proper sanitization, allowing an attacker to inject and execute arbitrary code when MDX content is rendered on the server. This flaw corresponds to CWE-94 and can compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

HashiCorp’s shared library, which incorporates next-mdx-remote, is impacted. All installations that rely on this library and have not applied the fix available in version 6.0.0 are potentially vulnerable; specific version information is not supplied in the advisory.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score is below 1%, suggesting a low probability of exploitation in the current landscape. The vulnerability is not listed in the KEV catalog. The likely attack vector involves an entity that can supply malicious MDX content to the server-side rendering process; if such input is accepted, the attacker can run arbitrary code with the process’s privileges.

Generated by OpenCVE AI on April 18, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the next-mdx-remote library to version 6.0.0 or later, which includes the fix for this issue.
  • Rebuild and redeploy any applications or services that use the next-mdx-remote library to ensure the updated code is in use.
  • Implement monitoring of application logs and process activity for signs of unexpected execution or anomalous behavior following the upgrade.

Generated by OpenCVE AI on April 18, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g4xw-jxrg-5f6m next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content
History

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp shared Library
Vendors & Products Hashicorp
Hashicorp shared Library

Thu, 12 Feb 2026 02:30:00 +0000

Type Values Removed Values Added
Description The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.
Title Arbitrary code execution in React server-side rendering of untrusted MDX content
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hashicorp Shared Library
cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-04-17T17:57:55.801Z

Reserved: 2026-01-14T22:09:31.064Z

Link: CVE-2026-0969

cve-icon Vulnrichment

Updated: 2026-02-12T15:35:04.529Z

cve-icon NVD

Status : Deferred

Published: 2026-02-12T03:15:46.667

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses