CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-53597

CVE-2026-53597: Remote Code Execution in Microsoft prompty via Insecure gray-matter Parsing

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 17, 2026·6 min read·0 visits

Executive Summary (TL;DR)

Unauthenticated remote code execution via malicious .prompty frontmatter blocks that trigger evaluation in gray-matter.

CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.

Vulnerability Overview

Microsoft's prompty is an asset class and file format designed to orchestrate, load, and manage prompts for Large Language Model (LLM) environments. The TypeScript implementation, distributed via the @prompty/core package, exposes a file loader that processes .prompty files. These files typically contain a YAML-like metadata block at the top, known as frontmatter, followed by the actual prompt template.

The parsing engine used by the TypeScript loader to dissect this metadata is gray-matter, a popular Node.js library. By default, gray-matter supports the direct execution of arbitrary JavaScript if specified in the frontmatter boundaries. Because the @prompty/core loader parsed raw files without overriding or disabling these default execution features, an attacker-controlled .prompty file containing a JavaScript block would execute commands immediately upon ingestion.

The vulnerability is tracked as CVE-2026-53597 and affects all versions from 2.0.0-alpha.1 up to (but not including) 2.0.0-beta.3. Because many agentic architectures dynamically parse or sync prompt configurations from user-supplied inputs, external repositories, or feedback channels, the attack surface expands beyond local developer workstations into production-level cloud middleware.

Root Cause Analysis

The root cause of this vulnerability lies in the default handling behaviors of the gray-matter parser when encountering specialized frontmatter languages. Frontmatter is typically delimited by triple-dash lines (---) and contains key-value configurations. While standard frontmatter utilizes YAML or JSON, gray-matter supports built-in parsers for executable languages, specifically js or javascript blocks.

When gray-matter identifies a frontmatter declaration starting with ---js or ---javascript, it extracts the contents of that block and passes them to the Node.js compilation and execution context. The parser evaluates the string as executable code to dynamically populate metadata keys, using the runtime permissions of the active Node.js process.

In vulnerable versions of @prompty/core, the buildAgent() function inside loader.ts called matter(raw) directly on the unvalidated input string. Because no configuration parameters were passed to restrict parser engines, the default behavior of gray-matter remained active. Consequently, parsing any .prompty file containing a ---js frontmatter block resulted in immediate code execution.

Code-Level Analysis and Patch Verification

In vulnerable versions, the loader process in runtime/typescript/packages/core/src/core/loader.ts parsed the raw prompt without engine restrictions:

function buildAgent(raw: string, filePath: string, options: LoadOptions): Prompty {
  // 1. Split frontmatter + body
  // Vulnerable: gray-matter is called with default options, allowing executable engines
  const { data, content } = matter(raw);
  ...
}

The fix, introduced in commit c27402da2487075be577f06aa79df627fb9d6853, addresses the issue by explicitly overriding the execution engines for the js and javascript file types:

function buildAgent(raw: string, filePath: string, options: LoadOptions): Prompty {
  // 1. Split frontmatter + body
  // Patched: Engines for js and javascript are mapped to a rejection routine
  const { data, content } = matter(raw, {
    engines: {
      js: { parse: rejectExecutableFrontmatter },
      javascript: { parse: rejectExecutableFrontmatter },
    },
  });
  ...
}
 
// Explicit rejection function that prevents execution
function rejectExecutableFrontmatter(): never {
  throw new Error("JavaScript frontmatter is not supported in .prompty files");
}

The mitigation is effective because the overridden engine handles parsing by throwing an exception immediately upon encountering the executable indicators, completely preventing evaluation. However, security researchers should verify that downstream dependencies or alternative engines (e.g., custom YAML object deserialization via js-yaml tags like !!js/function) are not also exposed to similar evaluation flaws.

Exploitation Methodology

Exploitation of CVE-2026-53597 requires that the target application ingest and parse a maliciously configured .prompty file. This ingestion can occur through automated prompt pipelines, synchronization of external prompt directories, or upload functionality within prompt-testing interfaces.

An attacker can craft a payload containing an Immediately Invoked Function Expression (IIFE) within the ---js block of the frontmatter. When the backend parses the file, the payload executes within the context of the running application. A basic proof of concept demonstrates execution using Node's standard libraries:

---js
(function(){
    const { execSync } = require('child_process');
    execSync('id > /tmp/compromised.txt');
    return {};
})()
---
name: Exploit
description: Remote Code Execution Proof of Concept
model:
  api: chat
---
system:
You are an assistant.

When the loader consumes this file, the payload executes before any validation of the prompt parameters can occur, leading to a complete compromise of the underlying container or application layer.

Impact Assessment and Vector Analysis

Successful exploitation of CVE-2026-53597 yields full arbitrary code execution under the privileges of the active Node.js server process. In cloud-native and Kubernetes-managed architectures, this compromise can expose environment variables containing database credentials, cloud access tokens, or sensitive API keys for LLM providers.

This vulnerability is analyzed under CVSS v4.0 with a score of 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). The attack vector is classified as network-based because exploitation can occur remotely if the application processes templates provided by remote users or synchronized from external sources. The attack complexity is low as no specialized constraints or permissions are required to execute the payload once the parser is invoked.

While the current EPSS score is approximately 0.0093 (percentile 56.62%), this rating represents its specific inclusion in developer tooling. As prompt-engineering libraries become standard layers in enterprise artificial intelligence pipelines, the potential exploit frequency and risk profiles for automated agents are expected to increase.

Detection and Remediation Strategies

The primary remediation strategy is upgrading the @prompty/core package to version 2.0.0-beta.3 or later. This update enforces explicit checks that drop execution requests for both js and javascript frontmatter engines. Ensure all lockfiles and transitive dependency chains are audited to confirm that older alpha versions are eliminated from the environment.

If patching cannot be performed immediately, temporary mitigations can be deployed. Implement a validation layer that screens files before ingestion. Applications can read .prompty inputs as raw text and run regex validations to reject files containing executable tags.

rule Detect_Executable_Prompty_Frontmatter {
    meta:
        description = "Detects executable JS frontmatter blocks in .prompty files"
        cve = "CVE-2026-53597"
        severity = "High"
    strings:
        $js_tag = /^\s*---js\b/m
        $javascript_tag = /^\s*---javascript\b/m
        $prompt_indicator = "model:"
    condition:
        ($js_tag or $javascript_tag) and $prompt_indicator
}

Additionally, enforce strict container isolation and execution constraints. Run Node.js services under non-root service accounts with minimized filesystem permissions, and restrict external network egress to prevent unauthorized credential exfiltration or reverse shell connections.

Official Patches

MicrosoftFix commit implementing custom engines for gray-matter compilation in the TypeScript loader.

Fix Analysis (1)

Technical Appendix

CVSS Score
8.7/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Probability
0.93%
Top 43% most exploited

Affected Systems

Applications utilizing the @prompty/core TypeScript package to parse prompt filesNode.js execution runtimes hosting prompty loading capabilitiesPrompt engineering and automated agent deployment environments using vulnerable prompty loaders

Affected Versions Detail

Product
Affected Versions
Fixed Version
@prompty/core
Microsoft
>= 2.0.0-alpha.1, < 2.0.0-beta.32.0.0-beta.3
AttributeDetail
CWE IDCWE-94: Improper Control of Generation of Code ('Code Injection')
Attack VectorNetwork (with User Interaction)
CVSS v4.08.7 (High)
EPSS Score0.0093 (Percentile: 56.62%)
Exploit StatusProof of Concept (PoC) available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1210Exploitation of Remote Services
Lateral Movement
T1059.003Command and Scripting Interpreter: Windows Command Shell
Execution
CWE-94
Improper Control of Generation of Code ('Code Injection')

The product constructs or refines all or part of a code segment using externally-influenced input, but does not sufficiently neutralize or escape code elements that can modify execution flow.

Known Exploits & Detection

GitHub Security AdvisoryAdvisory containing the vulnerability overview and replication methodology.

References & Sources

  • [1]NVD - CVE-2026-53597 Details
  • [2]GitHub Security Advisory (GHSA-c4gh-rv8h-q9vw)
  • [3]Fix Commit (TypeScript Loader)
  • [4]OSV JSON Metadata Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 2 hours ago•GHSA-RJWR-M7QX-3FJR
8.6

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

Alon Barad
Alon Barad
2 views•7 min read
•about 3 hours ago•CVE-2026-55646
6.5

CVE-2026-55646: Remote Denial of Service via Memory Exhaustion in vLLM Speech-to-Text Endpoints

A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.

Alon Barad
Alon Barad
3 views•5 min read
•about 4 hours ago•CVE-2026-34760
5.9

CVE-2026-34760: Adversarial Prompt Injection via Unweighted Audio Downmixing in vLLM

An improper input validation vulnerability (CWE-20) exists in vLLM versions 0.5.5 through 0.17.2 when processing multi-channel audio tracks. By relying on librosa's flat arithmetic mean instead of physical downmixing standards, vLLM blends sub-audible low-frequency or surround channels with equal weight. This enables an attacker to inject adversarial prompt sequences that bypass human moderation but are parsed clearly by speech-to-text models.

Amit Schendel
Amit Schendel
4 views•8 min read
•about 9 hours ago•GHSA-GGXF-9F6J-W742
5.3

GHSA-GGXF-9F6J-W742: Use-After-Free in Diesel SQLite Deserialization

A memory unsoundness vulnerability exists in the Diesel ORM crate when deserializing SQLite databases from raw bytes. The flaw is caused by a failure to bind the lifetime of the input buffer to the lifetime of the connection object, resulting in a Use-After-Free condition in the underlying libsqlite3 C library when subsequent queries are executed.

Alon Barad
Alon Barad
4 views•6 min read
•about 10 hours ago•CVE-2026-52870
7.6

CVE-2026-52870: Broken Object-Level Authorization (BOLA) in Model Context Protocol (MCP) Python SDK

CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 11 hours ago•GHSA-48QW-824M-86PR
7.7

GHSA-48QW-824M-86PR: Privilege Escalation and Sandbox Escape in ArcadeDB Server

A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.

Alon Barad
Alon Barad
6 views•6 min read