gatsby-transformer-remark has possible unsanitized JavaScript code injection

Severity:: High

Description

The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the gray-matter npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized.

Recommendation

Update the gatsby-transformer-remark package to the latest compatible version. Followings are version details:

Affected version(s): **< 5.25.1 >= 6.0.0, < 6.3.2**
Patched version(s): **5.25.1 6.3.2**

References

GHSA-7ch4-rr99-cqcw
CVE-2023-22491
CWE-20
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Unsanitized JavaScript code injection possible in gatsby-plugin-mdx - CVE-2022-25863
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin (GHSA-2h87-4q2w-v4hf) - CVE-2023-22621
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
nuxt Code Injection vulnerability - CVE-2023-3224

Tags:: npm; gatsby-transformer-remark

Anything's wrong? Let us know Last updated on January 23, 2023