{
  "schema_version": "1.4.0",
  "id": "GHSA-7ch4-rr99-cqcw",
  "modified": "2023-01-23T18:42:36Z",
  "published": "2023-01-11T18:27:15Z",
  "aliases": [
    "CVE-2023-22491"
  ],
  "summary": "gatsby-transformer-remark has possible unsanitized JavaScript code injection",
  "details": "### Impact\nThe gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized.  The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL).  Injected JavaScript executes in the context of the build server.\n\nTo exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark.  The following payload demonstrates a vulnerable configuration:\n```\n---js\n((require(\"child_process\")).execSync(\"id >> /tmp/rce\"))\n--- \n```\n\n### Patches\nA patch has been introduced in `gatsby-transformer-remark@5.25.1` and `gatsby-transformer-remark@6.3.2` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine.  The patch introduces a new option, `JSFrontmatterEngine` which is set to `false` by default.  When setting `JSFrontmatterEngine` to `true`, input passed to `gatsby-plugin-mdx` must be sanitized before processing to avoid a security risk.  Warnings are displayed when enabling `JSFrontmatterEngine` to `true` or if it appears that the MarkdownRemark input is attempting to use the Frontmatter engine.\n\n### Workarounds\nIf an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing.\n\n**We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.**\n\n\n### For more information\nEmail us at [security@gatsbyjs.com](mailto:security@gatsbyjs.com).",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "gatsby-transformer-remark"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.3.2"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "gatsby-transformer-remark"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.25.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22491"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gatsbyjs/gatsby"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-11T18:27:15Z",
    "nvd_published_at": "2023-01-13T19:15:00Z"
  }
}