• Home
  • cyber
  • next-mdx-remote: Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering
cyber Vulnerability

next-mdx-remote: Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering

Feb 13, 2026 3 min read
next-mdx-remote: Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering

Critical RCE Vulnerability in next-mdx-remote Library (CVE-2026-0969)

A critical security flaw in the next-mdx-remote library, tracked as CVE-2026-0969, allows attackers to execute arbitrary code on servers rendering untrusted MDX content. The vulnerability affects versions 4.3.0 through 5.0.0 and has been patched in 6.0.0.

next-mdx-remote, a widely used open-source TypeScript library for Next.js-based React applications, enables dynamic rendering of MDX (Markdown with JSX) from databases, APIs, or user input commonly used in blogs, documentation, and user-generated content platforms.

How the Attack Works

The vulnerability stems from insufficient sanitization in the library’s serialize and compileMDX functions, which fail to block malicious JavaScript expressions in untrusted MDX. Attackers can embed harmful code such as eval(), Function(), or require() within curly braces ({}). When processed during server-side rendering (SSR), the server executes the code with full privileges, leading to remote code execution (RCE).

For example, an attacker could submit MDX containing:

{require('child_process').execSync('rm -rf /')}

If JavaScript expressions are enabled (the default in vulnerable versions), the server executes the command, potentially allowing data theft, malware installation, or full server compromise.

Mitigation & Fix

Version 6.0.0 introduces breaking changes to address the issue:

  • JavaScript expressions are now blocked by default (blockJS: true).
  • When enabled (blockJS: false), a new blockDangerousJS: true option (default) filters high-risk globals like process, eval, and require.

Developers handling untrusted MDX on servers should upgrade to 6.0.0 immediately. Additional precautions include auditing code for compileMDX or serialize calls and using sanitization libraries like remark-rehype for enhanced security.

The vulnerability carries a critical CVSS score (estimated 9.8/10), underscoring the severity of the risk for affected applications.

Source: https://cybersecuritynews.com/vulnerability-in-next-mdx-remote/

next-mdx-remote TPRM report: https://www.rankiteo.com/company/socketinc

"id": "soc1770972392",
"linkid": "socketinc",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Next.js-based React '
                                              'applications using '
                                              'next-mdx-remote (versions '
                                              '4.3.0-5.0.0)',
                        'industry': 'Technology, Web Development',
                        'location': 'Global',
                        'name': 'next-mdx-remote library users',
                        'type': 'Open-source software library'}],
 'attack_vector': 'Malicious MDX content with embedded JavaScript expressions',
 'description': 'A critical security flaw in the next-mdx-remote library, '
                'tracked as CVE-2026-0969, allows attackers to execute '
                'arbitrary code on servers rendering untrusted MDX content. '
                'The vulnerability affects versions 4.3.0 through 5.0.0 and '
                'has been patched in 6.0.0. The vulnerability stems from '
                'insufficient sanitization in the library’s serialize and '
                'compileMDX functions, which fail to block malicious '
                'JavaScript expressions in untrusted MDX. Attackers can embed '
                'harmful code such as eval(), Function(), or require() within '
                'curly braces ({}). When processed during server-side '
                'rendering (SSR), the server executes the code with full '
                'privileges, leading to remote code execution (RCE).',
 'impact': {'operational_impact': 'Potential full server compromise, data '
                                  'theft, or malware installation',
            'systems_affected': 'Servers rendering untrusted MDX content using '
                                'next-mdx-remote (versions 4.3.0-5.0.0)'},
 'lessons_learned': 'Insufficient sanitization of user-supplied MDX content '
                    'can lead to critical RCE vulnerabilities. Default '
                    'security settings should block dangerous JavaScript '
                    'expressions.',
 'post_incident_analysis': {'corrective_actions': 'Introduced breaking changes '
                                                  'in version 6.0.0 to block '
                                                  'JavaScript expressions by '
                                                  'default and filter '
                                                  'high-risk globals',
                            'root_causes': 'Insufficient sanitization of '
                                           'JavaScript expressions in MDX '
                                           'content processed by serialize and '
                                           'compileMDX functions'},
 'recommendations': ['Upgrade to next-mdx-remote version 6.0.0 immediately',
                     'Audit code for compileMDX or serialize calls',
                     'Use sanitization libraries like remark-rehype for '
                     'enhanced security',
                     'Disable JavaScript expressions in MDX if not required '
                     '(blockJS: true)',
                     'Enable blockDangerousJS to filter high-risk globals if '
                     'JavaScript expressions are necessary'],
 'references': [{'source': 'CVE-2026-0969'}],
 'response': {'containment_measures': 'Upgrade to version 6.0.0 or later',
              'recovery_measures': 'Audit code for compileMDX or serialize '
                                   'calls and use sanitization libraries like '
                                   'remark-rehype',
              'remediation_measures': 'Block JavaScript expressions by default '
                                      '(blockJS: true) or enable '
                                      'blockDangerousJS: true to filter '
                                      'high-risk globals'},
 'title': 'Critical RCE Vulnerability in next-mdx-remote Library '
          '(CVE-2026-0969)',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'Insufficient sanitization in serialize and '
                            'compileMDX functions (CVE-2026-0969)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.