Mar 1, 2026·5 min read·7 visits
Improper configuration of the 'gray-matter' library in TinaCMS allows attackers to execute arbitrary code by embedding JavaScript in markdown frontmatter. Upgrade to version 3.1.1 immediately.
TinaCMS versions prior to 3.1.1 contain a critical arbitrary code execution vulnerability stemming from insecure default configurations in its markdown parsing logic. The system utilizes the 'gray-matter' library to process content files but fails to disable the execution of embedded JavaScript and CoffeeScript within frontmatter blocks. This allows authenticated attackers with content creation privileges—or external actors capable of submitting pull requests—to inject malicious payloads that execute in the context of the TinaCMS server or CLI tools during the build process.
TinaCMS is a headless content management system that enables developers to build content editing capabilities directly into React-based applications. A core function of the CMS is parsing markdown files to extract metadata (frontmatter) and content. This parsing is handled by the gray-matter library.
The vulnerability exists because TinaCMS initialized gray-matter without restricting its default engine capabilities. By default, gray-matter recognizes delimiters for multiple languages, including JavaScript (---js) and CoffeeScript (---coffee). When the library encounters these delimiters, it attempts to parse the content as code, often using unsafe evaluation methods like eval or require. This behavior transforms the markdown parser into a vector for server-side code execution.
An attacker can exploit this by creating or modifying a markdown file to include a malicious script in the frontmatter. When the TinaCMS GraphQL server or CLI tool processes this file, the injected code is executed on the host system. This affects the tinacms core package, as well as @tinacms/cli and @tinacms/graphql.
The root cause of CVE-2025-68278 is the failure to explicitly disable unsafe parsing engines in the gray-matter configuration. While gray-matter is a robust library, its documentation explicitly warns that the JavaScript and CoffeeScript parsers are unsafe for untrusted input because they execute code during the parsing phase.
In the vulnerable versions of TinaCMS, the parsing logic resides in packages/@tinacms/graphql/src/database/util.ts. The code invoked the parser without passing an engines configuration object that restricted supported languages. Consequently, the library fell back to its defaults, which include support for js, javascript, coffee, and coffeescript.
This behavior violates the principle of least privilege regarding input handling. A content management system should treat data files as static content or strictly structured data (like YAML or JSON), never as executable scripts. By implicitly trusting the default behavior of the dependency, TinaCMS exposed the underlying runtime environment to arbitrary code execution.
The remediation involves explicitly overriding the unsafe engines in the gray-matter configuration. The developers introduced a configuration object that defines custom handlers for the dangerous types, forcing them to throw errors instead of executing code.
Below is the analysis of the fix applied in packages/@tinacms/graphql/src/database/util.ts:
// PATCH ANALYSIS: Explicitly disable unsafe engines
const matterEngines = {
// Define handlers that immediately throw errors when invoked
js: {
parse: () => {
throw new Error('JavaScript execution in frontmatter is not allowed for security reasons');
},
stringify: () => {
throw new Error('JavaScript execution in frontmatter is not allowed for security reasons');
},
},
// Apply the same restriction to aliases and CoffeeScript
javascript: {
parse: () => { throw new Error(...); },
stringify: () => { throw new Error(...); }
},
coffee: {
parse: () => { throw new Error(...); },
stringify: () => { throw new Error(...); }
},
coffeescript: {
parse: () => { throw new Error(...); },
stringify: () => { throw new Error(...); }
},
// TOML and YAML remain supported (omitted for brevity)
};
// The matter function is now called with these restricted engines
// preventing the library from using its default unsafe eval/require logic.This change ensures that even if an attacker injects a ---js block, the application will reject the file with a security error rather than executing the payload. This is a robust fix as it addresses the issue at the parsing configuration level.
Exploitation requires the ability to modify markdown files processed by TinaCMS. This could be achieved by an authenticated user with content editing permissions, or by an external contributor submitting a malicious Pull Request in workflows where TinaCMS processes PR content automatically (e.g., CI/CD pipelines or preview environments).
The attacker crafts a markdown file replacing standard YAML frontmatter with a JavaScript block. The gray-matter library parses this block using the Node.js require or eval context, allowing access to standard libraries like fs (filesystem) and child_process.
---js
{
"onLoad": (function(){
const { execSync } = require('child_process');
// Execute arbitrary system commands
const output = execSync('id').toString();
// Exfiltrate data or modify system state
require('fs').writeFileSync('pwned.txt', output);
return {};
})()
}
---
# Innocent Looking Post
This content appears normal but triggers RCE on save/build.When the vulnerable TinaCMS instance parses this file, the immediate invoked function expression (IIFE) executes, running the system command id and writing the result to disk.
The impact of this vulnerability is rated High (CVSS 7.3). Successful exploitation grants the attacker the privileges of the Node.js process running the TinaCMS server or CLI.
Confidentiality: Attackers can read sensitive files from the server, including environment variables, database credentials, and source code. In cloud environments (e.g., AWS Lambda, Vercel), they may be able to exfiltrate temporary credentials to pivot to other infrastructure.
Integrity: Attackers can modify files, inject persistent backdoors into the CMS codebase, or alter database contents. They could potentially modify other content files to spread the attack to site visitors (Stored XSS).
Availability: Attackers can crash the server, delete critical files, or consume resources to cause a Denial of Service. Since TinaCMS is often used in build pipelines, this could also poison the build cache or compromise the deployment chain.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P| Product | Affected Versions | Fixed Version |
|---|---|---|
tinacms TinaCMS | < 3.1.1 | 3.1.1 |
@tinacms/cli TinaCMS | < 2.0.4 | 2.0.4 |
@tinacms/graphql TinaCMS | < 2.0.3 | 2.0.3 |
| Attribute | Detail |
|---|---|
| CWE | CWE-94: Improper Control of Generation of Code |
| CVSS v4.0 | 7.3 (High) |
| Attack Vector | Network |
| Privileges Required | Low (Content Editor) |
| Affected Library | gray-matter |
| Exploit Status | Proof of Concept Available |
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
A local security vulnerability in the Nuxt development server (nuxt dev) allows local unprivileged users to access sensitive configuration files and source code. On Linux environments running Node.js 20+, Nuxt bound its internal vite-node IPC server to an abstract-namespace Unix socket without any peer authentication, enabling co-resident local users to connect and request module code directly.
Mozilla Bleach is an open-source HTML sanitizing library for Python. Versions up to and including 6.3.0 contain an incomplete filtering implementation in the URI validation logic ('sanitize_uri_value'). This logic fails to detect disallowed protocols, such as 'javascript:', if they contain Unicode invisible characters, whitespace characters, or characters with a code point greater than U+00A0. While standard-compliant web browsers do not directly execute invalid URI schemes containing these non-standard characters, downstream systems that normalize Unicode text by stripping invisible or non-ASCII characters can unintentionally reactivate the 'javascript:' prefix, causing Cross-Site Scripting (XSS). Additionally, this behavior violates Bleach's core sanitization contract by outputting URIs that bypass protocol allowlists configured by the caller.
An uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.
A path traversal and sandbox escape vulnerability in LangChain and LangChain-Anthropic Python packages allows unauthenticated local attackers to access files outside the restricted directory via crafted input, symbolic links, or prefix bypasses.
The PHP Secure Communications Library (phpseclib) contains a Server-Side Request Forgery (SSRF) vulnerability due to an insecure default implementation of Authority Information Access (AIA) certificate chasing. This flaw allows remote, unauthenticated attackers to coerce applications validating user-supplied X.509 certificates into generating arbitrary outbound HTTP requests to internal networks or local interfaces.
A directory traversal vulnerability exists in the Microsoft .NET System.Formats.Tar library during archive extraction. When extracting a TAR archive using the TarFile.ExtractToDirectory API, the extraction engine improperly resolves symbolic links prior to file creation, allowing local unauthorized attackers to write or overwrite arbitrary files outside the target directory. This can lead to local tampering, privilege escalation, or arbitrary code execution.