CyberSecurity News

Critical Next-Mdx-Remote Flaw Vulnerability Allows

Security advisory HCSEC-2026-01 has unveiled a critical vulnerability in `next-mdx-remote`, a popular open-source TypeScript library for Next.js-based React applications. This flaw allows attackers...

Jennifer sherman
Jennifer sherman
February 13, 2026 2 Min Read
0 0

Security advisory HCSEC-2026-01 has unveiled a critical vulnerability in `next-mdx-remote`, a popular open-source TypeScript library for Next.js-based React applications. This flaw allows attackers to execute arbitrary code on servers rendering untrusted MDX content. Tracked as CVE-2026-0969, the issue affects versions 4.3.0 through 5.0.0 and has been addressed in version 6.0.0.

It lets developers pull MDX (Markdown with JSX) from databases, APIs, or user input and render it dynamically on the server or client.

How the Attack Works

MDX mixes Markdown’s simplicity with React components, making it great for blogs, docs, and user-generated content.

The problem lies in the library’s serialize and compileMDX functions. These lacked proper sanitization for JavaScript expressions in untrusted MDX.

Aspect Information
CVE ID CVE-2026-0969
Affected next-mdx-remote 4.3.0 to 5.0.0
CVSS Score Critical (estimated 9.8/10)
Impact RCE on SSR with untrusted MDX

Attackers could sneak in malicious code such as eval(), Function(), or require() hidden in curly braces {}. When the server processes this during server-side rendering (SSR), it executes the code with full server privileges.

This leads to remote code execution (RCE), potentially letting hackers steal data, install malware, or take over the server.

For example, an attacker submits MDX like: {require(‘child_process’).execSync(‘rm -rf /’)}. If JavaScript expressions are enabled (the default), the server runs them blindly.

Version 6.0.0 brings breaking changes: JavaScript expressions are now blocked by default (blockJS: true).

When enabled (blockJS: false), a new blockDangerousJS: true option (default on) filters risky globals like process, eval, and require.

Upgrade to next-mdx-remote 6.0.0 immediately if you handle untrusted MDX on servers. Audit code for compileMDX or serialize calls.

Never render user-supplied MDX without sanitization. Use libraries like remark-rehype for extra safety. Test in staging to catch breaks from the defaults.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEHackerMalwareSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts