{"id":10636,"date":"2026-02-13T10:03:57","date_gmt":"2026-02-13T10:03:57","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/13\/critical-vulnerability-in-next-mdx-remote-allows-arbitrary-code-execution-in-react-server-side-rendering\/"},"modified":"2026-02-13T10:03:57","modified_gmt":"2026-02-13T10:03:57","slug":"critical-vulnerability-in-next-mdx-remote-allows-arbitrary-code-execution-in-react-server-side-rendering","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/13\/critical-vulnerability-in-next-mdx-remote-allows-arbitrary-code-execution-in-react-server-side-rendering\/","title":{"rendered":"Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering"},"content":{"rendered":"

Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Security advisory HCSEC-2026-01 revealed a critical vulnerability in the next-mdx-remote library that allows attackers to execute arbitrary code on servers rendering untrusted MDX content.<\/p>\n

Tracked as CVE-2026-0969, the issue affects versions 4.3.0 through 5.0.0 and is fixed in 6.0.0. Next-mdx-remote is a popular open-source TypeScript library for Next.js based React apps<\/a>.<\/p>\n

It lets developers pull MDX (Markdown with JSX) from databases, APIs, or user input<\/a> and render it dynamically on the server or client.<\/p>\n

How the Attack Works<\/strong><\/h2>\n

MDX mixes Markdown\u2019s simplicity with React components, making it great for blogs, docs, and user-generated content.<\/p>\n

The problem lies in the library\u2019s\u00a0serialize\u00a0and\u00a0compileMDX\u00a0functions. These lacked proper sanitization for JavaScript expressions<\/a> in untrusted MDX.<\/p>\n

\n\n\n\n\n\n\n\n\n
Aspect<\/th>\nInformation<\/th>\n<\/tr>\n<\/thead>\n
CVE ID<\/strong><\/td>\nCVE-2026-0969<\/strong><\/td>\n<\/tr>\n
Affected<\/strong><\/td>\nnext-mdx-remote 4.3.0 to 5.0.0<\/td>\n<\/tr>\n
CVSS Score<\/strong><\/td>\nCritical (estimated 9.8\/10)<\/td>\n<\/tr>\n
Impact<\/strong><\/td>\nRCE on SSR with untrusted MDX<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Attackers could sneak in malicious code such as\u00a0eval(),\u00a0Function(), or\u00a0require() hidden in curly braces\u00a0{}. When the server processes this during server-side rendering<\/a> (SSR), it executes the code with full server privileges.<\/p>\n

This leads to remote code execution (RCE)<\/a>, potentially letting hackers steal data, install malware, or take over the server.<\/p>\n

For example, an attacker submits MDX like:\u00a0{require(\u2018child_process\u2019).execSync(\u2018rm -rf \/\u2019)}. If JavaScript expressions are enabled (the default), the server runs them blindly.<\/p>\n

Version 6.0.0 brings breaking changes<\/a>: JavaScript expressions are now blocked by default (blockJS: true).<\/p>\n

When enabled (blockJS: false), a new\u00a0blockDangerousJS: true\u00a0option (default on) filters risky globals like\u00a0process,\u00a0eval, and\u00a0require.<\/p>\n

Upgrade to next-mdx-remote 6.0.0 immediately if you handle untrusted MDX on servers<\/a>. Audit code for\u00a0compileMDX\u00a0or\u00a0serialize\u00a0calls.<\/p>\n

Never render user-supplied MDX without sanitization. Use libraries like remark-rehype for extra safety. Test in staging to catch breaks from the defaults.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering Security advisory HCSEC-2026-01 revealed a critical vulnerability in the next-mdx-remote library that allows attackers to execute arbitrary code on servers rendering untrusted MDX content. Tracked as CVE-2026-0969, the issue affects versions 4.3.0 through 5.0.0 and is fixed in 6.0.0. Next-mdx-remote is a popular […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-10636","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10636"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10636"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10636\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}