CVE-2022-25863 The gatsby-plugin-mdx package from 3.0.0 and 3.15.2 is vulnerable to Deserialization of Untrusted Data due to default configurations that are missing input sanitization.

Previously, it was possible to trigger a Denial of Service (DoS) in the plugin via a specially crafted MDX file, by passing a large number of nodes through its GraphQL interface. Fixed in version v2.14.1. Impact: An attacker could upload a malicious MDX file to the plugin and send it to the server to be used as a component in frontend / React code. An attacker could also send a large number of MDX nodes in GraphQL. Fixed in version v3.15.2. Solution: Upgrade to gatsby-plugin-mdx v3.15.2 or later. - or - If MDX is used in webpack (SRCS, PAGES), it must be sanitized in advance, or a DoS could be triggered. Note that in this case, it is impossible to exploit a vulnerability in the plugin.

The remainder of this report is organized as follows:

The remainder of this report is organized as follows:
1. Introduction
2. Description of the vulnerability
3. Impact
4. Solution
5. Resolution

Gatsby Core v2.14.1

Fixed in version v2.14.1:
* Fixed CVE-2022-25863 - An attacker could upload a malicious MDX file to the plugin and send it to the server to be used as a component in frontend / React code, as well as sending a large number of MDX nodes in GraphQL.
* Fixed CVE-2022-26992 - The GraphQL field names were printed using the __NAMESPACE__ property which allows arbitrary access to fields from the context of the surrounding object (in this case, from any component).
* Fixed CVE-2022-26993 - Allowed remote attackers to inject new scripts into webpack build pipeline by setting an invalid configuration for webpack's WebAssembly module loader or via other means, leading to Denial of Service (DoS) attacks against Gatsby components.

Scrivener

Scrivener is a powerful writing tool for writers who need a place to collect, organize, and manage their work. It provides helpful tools to help writers plan the structure of their manuscript, set up timelines, write dialogue and notes, and more. Scrivener is available as both an on-premise software application and a cloud-based service that allows users to create documents on any device or platform.

Timeline

Published on: 06/10/2022 20:15:00 UTC
Last modified on: 06/17/2022 18:40:00 UTC

References

• https://github.com/gatsbyjs/gatsby/pull/35830
• https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e
• https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing
• https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25863