Plataforma
nodejs
Componente
next-mdx-remote
Corrigido em
6.0.0
CVE-2026-0969 is a critical Remote Code Execution (RCE) vulnerability affecting the next-mdx-remote package, a popular component for building MDX-powered websites and applications within the Node.js ecosystem. This vulnerability stems from insufficient sanitization of MDX content during the serialization process, allowing attackers to inject and execute arbitrary code. Versions 4.3.0 through 6.0.0 are vulnerable, and a fix is available in version 6.0.0.
The impact of CVE-2026-0969 is severe. An attacker who can control the MDX content processed by a vulnerable application can inject malicious code that will be executed with the privileges of the Node.js process. This could lead to complete system compromise, including data theft, modification, or deletion, and potentially lateral movement within the network. The attack vector involves crafting a malicious MDX file and ensuring it is processed by the vulnerable next-mdx-remote component. The ability to execute arbitrary code opens the door to a wide range of attacks, effectively granting the attacker full control over the affected system. This is similar to vulnerabilities where untrusted input is directly executed without proper validation.
CVE-2026-0969 was publicly disclosed on 2026-02-12. As of this date, there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.8 (HIGH) reflects the potential for significant impact if exploited.
Applications built with Next.js that utilize next-mdx-remote for rendering MDX content are at risk. This includes websites and applications that allow users to upload or provide MDX files, especially those lacking robust input validation. Developers relying on third-party MDX components or themes should also be aware of this vulnerability.
• nodejs / supply-chain:
npm list next-mdx-remoteIf the output shows a version between 4.3.0 and 6.0.0, the system is vulnerable. • nodejs / supply-chain:
npm audit next-mdx-remoteThis command will report the vulnerability if present. • generic web: Examine application logs for any unusual activity related to MDX processing or file uploads. Look for error messages or unexpected behavior after processing MDX files.
disclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-0969 is to upgrade to next-mdx-remote version 6.0.0 or later. If upgrading immediately is not feasible, consider implementing stricter input validation and sanitization of MDX content before it is processed. While not a complete solution, this can reduce the attack surface. Reviewing and restricting the sources of MDX content is also crucial. There are no specific WAF rules or detection signatures readily available for this vulnerability, making proactive code review and timely patching essential. After upgrading, confirm the fix by attempting to process a known malicious MDX file and verifying that it does not result in code execution.
Actualice a la versión 6.0.0 o superior de next-mdx-remote para mitigar la vulnerabilidad de ejecución arbitraria de código. Esta actualización corrige la falta de sanitización adecuada del contenido MDX, previniendo la ejecución de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-0969 is a Remote Code Execution vulnerability in the next-mdx-remote package, allowing attackers to execute arbitrary code due to insufficient sanitization of MDX content.
You are affected if you are using next-mdx-remote versions 4.3.0 through 6.0.0 in your Node.js application.
Upgrade to next-mdx-remote version 6.0.0 or later to remediate the vulnerability. Consider input validation as a temporary mitigation.
As of the current disclosure date, there is no evidence of active exploitation in the wild.
Refer to the official next-mdx-remote repository or documentation for the latest advisory and updates regarding CVE-2026-0969.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.