TinaCMS: How a Blog Post Becomes a Beachhead (CVE-2025-68278)

Alon Barad

Software Engineer

Jan 3, 2026·8 min read·1 visit

PoC Available

Executive Summary (TL;DR)

A vulnerability in TinaCMS allows attackers to execute code on the server by crafting a malicious markdown file. The issue is caused by the `gray-matter` library, which processes JavaScript in frontmatter by default. Uploading a file with `---js` delimiters leads to RCE. Update to patched versions immediately to disable this functionality.

CVE-2025-68278 is a critical Remote Code Execution (RCE) vulnerability in TinaCMS, a popular headless CMS. The flaw stems from its dependency, the `gray-matter` library, which, in a stunning display of optimism, defaults to executing JavaScript or CoffeeScript found in markdown frontmatter. This allows an attacker with permission to upload a seemingly harmless markdown file to gain complete control of the server, turning a simple content update into a full-scale system compromise. The fix involves explicitly disabling these dangerous 'features,' reminding us that sometimes the most helpful libraries are the ones holding a loaded gun.

Attack Flow Diagram

Fix Analysis (1)

Technical Appendix

CVSS Score

7.3/ 10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS Probability

0.08%

Top 76% most exploited

Affected Systems

TinaCMS@tinacms/cli@tinacms/graphql

Affected Versions Detail

Product	Affected Versions	Fixed Version
tinacms tinacms	< 3.1.1	3.1.1
@tinacms/cli tinacms	< 2.0.4	2.0.4
@tinacms/graphql tinacms	< 2.0.3	2.0.3

Attribute	Detail
CWE ID	CWE-94
Weakness	Improper Control of Generation of Code ('Code Injection')
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
CVSS v4.0 Score	7.3 (High)
EPSS Score	0.08% (Low Probability)
Exploit Status	Proof-of-Concept Available
CISA KEV	No

MITRE ATT&CK Mapping

T1059.007Command and Scripting Interpreter: JavaScript

Execution

T1190Exploit Public-Facing Application

Initial Access

CWE-94

Improper Control of Generation of Code ('Code Injection')

The software constructs all or part of a code string using externally-controlled input, but it does not neutralize or incorrectly neutralizes the input from a code syntax perspective, which can lead to the injection of arbitrary code.

Known Exploits & Detection

Vulners (from GHSA)Provides a clear Proof-of-Concept demonstrating RCE by reading /etc/passwd via a crafted markdown file.

Vulnerability Timeline

Fix is committed to the main branch.

2025-12-17

CVE-2025-68278 and GHSA-529f-9qwm-9628 are publicly disclosed.

2025-12-18

Proof-of-Concept becomes publicly available.

2025-12-18

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.