gatsby-transformer-remark has possible unsanitized JavaScript code injection

Description

The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the gray-matter npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized.

Recommendation

Update the gatsby-transformer-remark package to the latest compatible version. Followings are version details:

• Affected version(s): **< 5.25.1

  >= 6.0.0, < 6.3.2**

• Patched version(s): **5.25.1

  6.3.2**

References

• GHSA-7ch4-rr99-cqcw
• CVE-2023-22491
• CWE-20
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Unsanitized JavaScript code injection possible in gatsby-plugin-mdx - CVE-2022-25863
• i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
• jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
• jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

How do hackers hack websites?

Tags:

npm

gatsby-transformer-remark