next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content

Description

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.

Recommendation

Update the next-mdx-remote package to the latest compatible version. Followings are version details:

• Affected version(s): >= 4.3.0, < 6.0.0
• Patched version(s): 6.0.0

References

• GHSA-g4xw-jxrg-5f6m
• discuss.hashicorp.com
• CVE-2026-0969
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
• FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
• Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - @strapi/plugin-email - CVE-2023-22621
• Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621

You might also like:

Exploiting Server Version Disclosure

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

next-mdx-remote