Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering - CyberSecurityNews

Home Cyber Security News Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering Vulnerability in Next-Mdx-Remote Security advisory HCSEC-2026-01 revealed a critical vulnerability in the next-mdx-remote library that allows attackers to execute arbitrary code on servers rendering untrusted MDX content. Tracked as CVE-2026-0969, the issue affects versions 4.3.0 through 5.0.0 and is fixed in 6.0.0. Next-mdx-remote is a popular open-source TypeScript library for Next.js based React apps. It lets developers pull MDX (Markdown with JSX) from databases, APIs, or user input and render it dynamically on the server or client. How the Attack Works MDX mixes Markdown’s simplicity with React components, making it great for blogs, docs, and user-generated content. The problem lies in the library’s serialize and compileMDX functions. These lacked proper sanitization for JavaScript expressions in untrusted MDX. Aspect Information CVE ID CVE-2026-0969 Affected next-mdx-remote 4.3.0 to 5.0.0 CVSS Score Critical (estimated 9.8/10) Impact RCE on SSR with untrusted MDX Attackers could sneak in malicious code such as eval(), Function(), or require() hidden in curly braces {}. When the server processes this during server-side rendering (SSR), it executes the code with full server privileges. This leads to remote code execution (RCE), potentially letting hackers steal data, install malware, or take over the server. For example, an attacker submits MDX like: {require(‘child_process’).execSync(‘rm -rf /’)}. If JavaScript expressions are enabled (the default), the server runs them blindly. Version 6.0.0 brings breaking changes: JavaScript expressions are now blocked by default (blockJS: true). When enabled (blockJS: false), a new blockDangerousJS: true option (default on) filters risky globals like process, eval, and require. Upgrade to next-mdx-remote 6.0.0 immediately if you handle untrusted MDX on servers. Audit code for compileMDX or serialize calls. Never render user-supplied MDX without sanitization. Use libraries like remark-rehype for extra safety. Test in staging to catch breaks from the defaults. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News FBI, Thai Partners Target Southeast Asia Scam Centers Behind Cyber Fraud on Americans Android Microsoft Unveils New Teams Optimizations for Windows App on iOS & Android Cisco CISA Warns of Cisco Secure Firewall Management Center 0-Day Exploited in Ransomware Attacks Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026