• Home
  • cyber
  • HashiCorp: next-mdx-remote Vulnerability Allows Arbitrary Code Execution in React SSR
cyber Vulnerability

HashiCorp: next-mdx-remote Vulnerability Allows Arbitrary Code Execution in React SSR

Feb 11, 2026 2 min read
HashiCorp: next-mdx-remote Vulnerability Allows Arbitrary Code Execution in React SSR

Critical RCE Vulnerability Discovered in next-mdx-remote Library

A severe security flaw (CVE-2026-0969) has been identified in next-mdx-remote, a widely used TypeScript library for rendering MDX content in React applications. Disclosed by HashiCorp on February 11, 2026, under bulletin HCSEC-2026-01, the vulnerability allows attackers to execute arbitrary code on servers processing untrusted MDX content.

The issue stems from insufficient sanitization in the serialize function across versions 4.3.0 to 5.0.0, where JavaScript expressions are enabled. Exploitation occurs when malicious code is injected via user-supplied MDX content, granting remote code execution (RCE) capabilities. Applications permitting untrusted MDX input for server-side rendering are particularly at risk.

HashiCorp has released version 6.0.0 to mitigate the threat, introducing a breaking change that disables JavaScript expressions by default (blockJS: true). For deployments requiring JavaScript expressions, the update includes blockDangerousJS, which restricts high-risk operations like eval, Function, and require when blockJS is disabled.

The vulnerability was discovered by researchers at Sejong University. Organizations using affected versions are advised to upgrade immediately and review configurations to ensure JavaScript expressions are only enabled with proper safeguards.

Source: https://gbhackers.com/next-mdx-remote-vulnerability/

HashiCorp TPRM report: https://www.rankiteo.com/company/hashicorp

"id": "has1770972466",
"linkid": "hashicorp",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology, Web Development',
                        'name': 'Organizations using next-mdx-remote library',
                        'type': 'Software/Technology'}],
 'attack_vector': 'User-supplied MDX content with malicious JavaScript '
                  'expressions',
 'date_publicly_disclosed': '2026-02-11',
 'description': 'A severe security flaw (CVE-2026-0969) has been identified in '
                'next-mdx-remote, a widely used TypeScript library for '
                'rendering MDX content in React applications. The '
                'vulnerability allows attackers to execute arbitrary code on '
                'servers processing untrusted MDX content due to insufficient '
                'sanitization in the `serialize` function across versions '
                '4.3.0 to 5.0.0, where JavaScript expressions are enabled. '
                'Exploitation occurs when malicious code is injected via '
                'user-supplied MDX content, granting remote code execution '
                '(RCE) capabilities.',
 'impact': {'operational_impact': 'Potential arbitrary code execution on '
                                  'affected servers',
            'systems_affected': 'Servers processing untrusted MDX content in '
                                'React applications'},
 'investigation_status': 'Vulnerability disclosed and patched',
 'lessons_learned': 'Organizations should ensure proper sanitization of '
                    'user-supplied content and disable dangerous JavaScript '
                    'expressions unless absolutely necessary. Regularly update '
                    'dependencies to mitigate known vulnerabilities.',
 'post_incident_analysis': {'corrective_actions': 'Released version 6.0.0 with '
                                                  '`blockJS: true` by default '
                                                  'and added '
                                                  '`blockDangerousJS` for '
                                                  'restricted operations',
                            'root_causes': 'Insufficient sanitization in the '
                                           '`serialize` function allowing '
                                           'JavaScript expressions in '
                                           'untrusted MDX content'},
 'recommendations': '1. Upgrade to next-mdx-remote version 6.0.0 or later '
                    'immediately. 2. Review configurations to ensure '
                    'JavaScript expressions are disabled (`blockJS: true`) or '
                    'restricted (`blockDangerousJS`). 3. Audit applications '
                    'for untrusted MDX input processing. 4. Monitor for signs '
                    'of exploitation in logs.',
 'references': [{'source': 'HashiCorp Security Bulletin HCSEC-2026-01'},
                {'source': 'Sejong University Researchers'}],
 'response': {'containment_measures': 'Upgrade to version 6.0.0 or later',
              'remediation_measures': 'Disable JavaScript expressions by '
                                      'default (`blockJS: true`) or use '
                                      '`blockDangerousJS` to restrict '
                                      'high-risk operations'},
 'title': 'Critical RCE Vulnerability Discovered in next-mdx-remote Library '
          '(CVE-2026-0969)',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'Insufficient sanitization in the `serialize` '
                            'function (CVE-2026-0969)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.