next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content
- Severity:
- High
Description
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.
Recommendation
Update the next-mdx-remote package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.3.0, < 6.0.0
- Patched version(s): 6.0.0
References
Related Issues
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin (GHSA-2h87-4q2w-v4hf) - CVE-2023-22621
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
- Tags:
- npm
- next-mdx-remote
Anything's wrong? Let us know Last updated on February 24, 2026