Arbitrary Code Execution in TinaCMS via Insecure Frontmatter Parsing

TinaCMS is a headless content management system that enables developers to build content editing capabilities directly into React-based applications. A core function of the CMS is parsing markdown files to extract metadata (frontmatter) and content. This parsing is handled by the gray-matter library.

The vulnerability exists because TinaCMS initialized gray-matter without restricting its default engine capabilities. By default, gray-matter recognizes delimiters for multiple languages, including JavaScript (---js) and CoffeeScript (---coffee). When the library encounters these delimiters, it attempts to parse the content as code, often using unsafe evaluation methods like eval or require. This behavior transforms the markdown parser into a vector for server-side code execution.

An attacker can exploit this by creating or modifying a markdown file to include a malicious script in the frontmatter. When the TinaCMS GraphQL server or CLI tool processes this file, the injected code is executed on the host system. This affects the tinacms core package, as well as @tinacms/cli and @tinacms/graphql.

The root cause of CVE-2025-68278 is the failure to explicitly disable unsafe parsing engines in the gray-matter configuration. While gray-matter is a robust library, its documentation explicitly warns that the JavaScript and CoffeeScript parsers are unsafe for untrusted input because they execute code during the parsing phase.

In the vulnerable versions of TinaCMS, the parsing logic resides in packages/@tinacms/graphql/src/database/util.ts. The code invoked the parser without passing an engines configuration object that restricted supported languages. Consequently, the library fell back to its defaults, which include support for js, javascript, coffee, and coffeescript.

This behavior violates the principle of least privilege regarding input handling. A content management system should treat data files as static content or strictly structured data (like YAML or JSON), never as executable scripts. By implicitly trusting the default behavior of the dependency, TinaCMS exposed the underlying runtime environment to arbitrary code execution.

The remediation involves explicitly overriding the unsafe engines in the gray-matter configuration. The developers introduced a configuration object that defines custom handlers for the dangerous types, forcing them to throw errors instead of executing code.

Below is the analysis of the fix applied in packages/@tinacms/graphql/src/database/util.ts:

// PATCH ANALYSIS: Explicitly disable unsafe engines
 
const matterEngines = {
  // Define handlers that immediately throw errors when invoked
  js: {
    parse: () => {
      throw new Error('JavaScript execution in frontmatter is not allowed for security reasons');
    },
    stringify: () => {
      throw new Error('JavaScript execution in frontmatter is not allowed for security reasons');
    },
  },
  // Apply the same restriction to aliases and CoffeeScript
  javascript: {
    parse: () => { throw new Error(...); },
    stringify: () => { throw new Error(...); }
  },
  coffee: {
    parse: () => { throw new Error(...); },
    stringify: () => { throw new Error(...); }
  },
  coffeescript: {
    parse: () => { throw new Error(...); },
    stringify: () => { throw new Error(...); }
  },
  // TOML and YAML remain supported (omitted for brevity)
};
 
// The matter function is now called with these restricted engines
// preventing the library from using its default unsafe eval/require logic.

This change ensures that even if an attacker injects a ---js block, the application will reject the file with a security error rather than executing the payload. This is a robust fix as it addresses the issue at the parsing configuration level.

Exploitation requires the ability to modify markdown files processed by TinaCMS. This could be achieved by an authenticated user with content editing permissions, or by an external contributor submitting a malicious Pull Request in workflows where TinaCMS processes PR content automatically (e.g., CI/CD pipelines or preview environments).

The attacker crafts a markdown file replacing standard YAML frontmatter with a JavaScript block. The gray-matter library parses this block using the Node.js require or eval context, allowing access to standard libraries like fs (filesystem) and child_process.

Proof of Concept Payload

---js
{
  "onLoad": (function(){
    const { execSync } = require('child_process');
    // Execute arbitrary system commands
    const output = execSync('id').toString();
    // Exfiltrate data or modify system state
    require('fs').writeFileSync('pwned.txt', output);
    return {};
  })()
}
---
# Innocent Looking Post
 
This content appears normal but triggers RCE on save/build.

When the vulnerable TinaCMS instance parses this file, the immediate invoked function expression (IIFE) executes, running the system command id and writing the result to disk.

The impact of this vulnerability is rated High (CVSS 7.3). Successful exploitation grants the attacker the privileges of the Node.js process running the TinaCMS server or CLI.

Confidentiality: Attackers can read sensitive files from the server, including environment variables, database credentials, and source code. In cloud environments (e.g., AWS Lambda, Vercel), they may be able to exfiltrate temporary credentials to pivot to other infrastructure.

Integrity: Attackers can modify files, inject persistent backdoors into the CMS codebase, or alter database contents. They could potentially modify other content files to spread the attack to site visitors (Stored XSS).

Availability: Attackers can crash the server, delete critical files, or consume resources to cause a Denial of Service. Since TinaCMS is often used in build pipelines, this could also poison the build cache or compromise the deployment chain.