CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-68278
7.30.08%

TinaCMS: How a Blog Post Becomes a Beachhead (CVE-2025-68278)

Alon Barad
Alon Barad
Software Engineer

Jan 3, 2026·8 min read·1 visit

PoC Available

Executive Summary (TL;DR)

A vulnerability in TinaCMS allows attackers to execute code on the server by crafting a malicious markdown file. The issue is caused by the `gray-matter` library, which processes JavaScript in frontmatter by default. Uploading a file with `---js` delimiters leads to RCE. Update to patched versions immediately to disable this functionality.

CVE-2025-68278 is a critical Remote Code Execution (RCE) vulnerability in TinaCMS, a popular headless CMS. The flaw stems from its dependency, the `gray-matter` library, which, in a stunning display of optimism, defaults to executing JavaScript or CoffeeScript found in markdown frontmatter. This allows an attacker with permission to upload a seemingly harmless markdown file to gain complete control of the server, turning a simple content update into a full-scale system compromise. The fix involves explicitly disabling these dangerous 'features,' reminding us that sometimes the most helpful libraries are the ones holding a loaded gun.

Fix Analysis (1)

Technical Appendix

CVSS Score
7.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
EPSS Probability
0.08%
Top 76% most exploited

Affected Systems

TinaCMS@tinacms/cli@tinacms/graphql

Affected Versions Detail

Product
Affected Versions
Fixed Version
tinacms
tinacms
< 3.1.13.1.1
@tinacms/cli
tinacms
< 2.0.42.0.4
@tinacms/graphql
tinacms
< 2.0.32.0.3
AttributeDetail
CWE IDCWE-94
WeaknessImproper Control of Generation of Code ('Code Injection')
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
CVSS v4.0 Score7.3 (High)
EPSS Score0.08% (Low Probability)
Exploit StatusProof-of-Concept Available
CISA KEVNo

MITRE ATT&CK Mapping

T1059.007Command and Scripting Interpreter: JavaScript
Execution
T1190Exploit Public-Facing Application
Initial Access
CWE-94
Improper Control of Generation of Code ('Code Injection')

The software constructs all or part of a code string using externally-controlled input, but it does not neutralize or incorrectly neutralizes the input from a code syntax perspective, which can lead to the injection of arbitrary code.

Known Exploits & Detection

Vulners (from GHSA)Provides a clear Proof-of-Concept demonstrating RCE by reading /etc/passwd via a crafted markdown file.

Vulnerability Timeline

Fix is committed to the main branch.
2025-12-17
CVE-2025-68278 and GHSA-529f-9qwm-9628 are publicly disclosed.
2025-12-18
Proof-of-Concept becomes publicly available.
2025-12-18

References & Sources

  • [1]GitHub Advisory: Arbitrary Code Execution in tinacms
  • [2]Fix Commit
  • [3]NVD - CVE-2025-68278

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.