Platform
nodejs
Component
tinacms
Opgelost in
3.1.2
2.0.5
2.0.4
3.1.1
CVE-2025-68278 is a high-severity code execution vulnerability affecting TinaCMS, a headless CMS built on Node.js. This vulnerability arises from an insecure implementation of the gray-matter package, allowing attackers to inject and execute arbitrary code within markdown files processed by TinaCMS, such as blog posts. Affected versions are those prior to 3.1.1. A fix has been released in version 3.1.1.
The core of this vulnerability lies in TinaCMS's handling of markdown files and the gray-matter package. gray-matter is used to parse front matter (metadata) within markdown files. By default, gray-matter executes code within this front matter. TinaCMS fails to properly sanitize or restrict this execution, allowing an attacker who can control the content of a markdown file (e.g., through a blog post submission form) to inject malicious JavaScript code. This code will then be executed by the server when TinaCMS processes the file, potentially leading to complete system compromise. An attacker could gain remote code execution (RCE) capabilities, enabling them to steal sensitive data, modify content, or even take control of the underlying server.
This vulnerability was publicly disclosed on December 18, 2025. A proof-of-concept (PoC) is available, demonstrating the ease of exploitation. While no active campaigns have been publicly reported, the availability of a PoC significantly increases the risk of exploitation. The vulnerability is not currently listed on CISA KEV, but its high severity warrants close monitoring. The ease of exploitation and potential impact suggest a medium to high probability of exploitation.
Organizations using TinaCMS for content management, particularly those with user-submitted content (e.g., blogs, forums), are at significant risk. Shared hosting environments where multiple users can upload markdown files are especially vulnerable. Any deployment relying on untrusted markdown input is potentially affected.
• nodejs / server:
find /var/www/tinacms -type f -name '*.md' -print0 | xargs -0 grep -iE '(?s)^\s*\s*\s*<script' # Search for script tags in markdown files• nodejs / server:
ps aux | grep -i tinacms # Check for running TinaCMS processes• generic web:
curl -I http://your-tinacms-site.com/blog/your-post.md # Check for unusual headers or contentdisclosure
Exploit Status
EPSS
0.10% (28% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-68278 is to immediately upgrade TinaCMS to version 3.1.1 or later. This version includes a fix that prevents the insecure execution of code within markdown front matter. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting file uploads and carefully validating all markdown content submitted to TinaCMS. Implement strict input validation and sanitization to prevent the injection of malicious code. Review and audit all existing markdown files for suspicious content. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests.
Actualice TinaCMS a la versión 3.1.1 o superior. Esto se puede hacer a través de npm o yarn, dependiendo de su gestor de paquetes. Ejecute `npm install tinacms@latest` o `yarn upgrade tinacms@latest` para obtener la versión corregida.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-68278 is a high-severity vulnerability in TinaCMS where attackers can execute arbitrary code via crafted markdown files due to insecure use of the gray-matter package.
You are affected if you are using TinaCMS versions prior to 3.1.1 and process user-supplied markdown content.
Upgrade TinaCMS to version 3.1.1 or later to mitigate the vulnerability. Implement strict input validation as a temporary workaround.
While no active campaigns have been publicly reported, a PoC is available, increasing the risk of exploitation.
Refer to the TinaCMS official security advisory for detailed information and updates: [https://www.tina cms.io/security/advisories](https://www.tina cms.io/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.