Jul 17, 2026·6 min read·0 visits
Unauthenticated remote code execution via malicious .prompty frontmatter blocks that trigger evaluation in gray-matter.
CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.
Microsoft's prompty is an asset class and file format designed to orchestrate, load, and manage prompts for Large Language Model (LLM) environments. The TypeScript implementation, distributed via the @prompty/core package, exposes a file loader that processes .prompty files. These files typically contain a YAML-like metadata block at the top, known as frontmatter, followed by the actual prompt template.
The parsing engine used by the TypeScript loader to dissect this metadata is gray-matter, a popular Node.js library. By default, gray-matter supports the direct execution of arbitrary JavaScript if specified in the frontmatter boundaries. Because the @prompty/core loader parsed raw files without overriding or disabling these default execution features, an attacker-controlled .prompty file containing a JavaScript block would execute commands immediately upon ingestion.
The vulnerability is tracked as CVE-2026-53597 and affects all versions from 2.0.0-alpha.1 up to (but not including) 2.0.0-beta.3. Because many agentic architectures dynamically parse or sync prompt configurations from user-supplied inputs, external repositories, or feedback channels, the attack surface expands beyond local developer workstations into production-level cloud middleware.
The root cause of this vulnerability lies in the default handling behaviors of the gray-matter parser when encountering specialized frontmatter languages. Frontmatter is typically delimited by triple-dash lines (---) and contains key-value configurations. While standard frontmatter utilizes YAML or JSON, gray-matter supports built-in parsers for executable languages, specifically js or javascript blocks.
When gray-matter identifies a frontmatter declaration starting with ---js or ---javascript, it extracts the contents of that block and passes them to the Node.js compilation and execution context. The parser evaluates the string as executable code to dynamically populate metadata keys, using the runtime permissions of the active Node.js process.
In vulnerable versions of @prompty/core, the buildAgent() function inside loader.ts called matter(raw) directly on the unvalidated input string. Because no configuration parameters were passed to restrict parser engines, the default behavior of gray-matter remained active. Consequently, parsing any .prompty file containing a ---js frontmatter block resulted in immediate code execution.
In vulnerable versions, the loader process in runtime/typescript/packages/core/src/core/loader.ts parsed the raw prompt without engine restrictions:
function buildAgent(raw: string, filePath: string, options: LoadOptions): Prompty {
// 1. Split frontmatter + body
// Vulnerable: gray-matter is called with default options, allowing executable engines
const { data, content } = matter(raw);
...
}The fix, introduced in commit c27402da2487075be577f06aa79df627fb9d6853, addresses the issue by explicitly overriding the execution engines for the js and javascript file types:
function buildAgent(raw: string, filePath: string, options: LoadOptions): Prompty {
// 1. Split frontmatter + body
// Patched: Engines for js and javascript are mapped to a rejection routine
const { data, content } = matter(raw, {
engines: {
js: { parse: rejectExecutableFrontmatter },
javascript: { parse: rejectExecutableFrontmatter },
},
});
...
}
// Explicit rejection function that prevents execution
function rejectExecutableFrontmatter(): never {
throw new Error("JavaScript frontmatter is not supported in .prompty files");
}The mitigation is effective because the overridden engine handles parsing by throwing an exception immediately upon encountering the executable indicators, completely preventing evaluation. However, security researchers should verify that downstream dependencies or alternative engines (e.g., custom YAML object deserialization via js-yaml tags like !!js/function) are not also exposed to similar evaluation flaws.
Exploitation of CVE-2026-53597 requires that the target application ingest and parse a maliciously configured .prompty file. This ingestion can occur through automated prompt pipelines, synchronization of external prompt directories, or upload functionality within prompt-testing interfaces.
An attacker can craft a payload containing an Immediately Invoked Function Expression (IIFE) within the ---js block of the frontmatter. When the backend parses the file, the payload executes within the context of the running application. A basic proof of concept demonstrates execution using Node's standard libraries:
---js
(function(){
const { execSync } = require('child_process');
execSync('id > /tmp/compromised.txt');
return {};
})()
---
name: Exploit
description: Remote Code Execution Proof of Concept
model:
api: chat
---
system:
You are an assistant.When the loader consumes this file, the payload executes before any validation of the prompt parameters can occur, leading to a complete compromise of the underlying container or application layer.
Successful exploitation of CVE-2026-53597 yields full arbitrary code execution under the privileges of the active Node.js server process. In cloud-native and Kubernetes-managed architectures, this compromise can expose environment variables containing database credentials, cloud access tokens, or sensitive API keys for LLM providers.
This vulnerability is analyzed under CVSS v4.0 with a score of 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). The attack vector is classified as network-based because exploitation can occur remotely if the application processes templates provided by remote users or synchronized from external sources. The attack complexity is low as no specialized constraints or permissions are required to execute the payload once the parser is invoked.
While the current EPSS score is approximately 0.0093 (percentile 56.62%), this rating represents its specific inclusion in developer tooling. As prompt-engineering libraries become standard layers in enterprise artificial intelligence pipelines, the potential exploit frequency and risk profiles for automated agents are expected to increase.
The primary remediation strategy is upgrading the @prompty/core package to version 2.0.0-beta.3 or later. This update enforces explicit checks that drop execution requests for both js and javascript frontmatter engines. Ensure all lockfiles and transitive dependency chains are audited to confirm that older alpha versions are eliminated from the environment.
If patching cannot be performed immediately, temporary mitigations can be deployed. Implement a validation layer that screens files before ingestion. Applications can read .prompty inputs as raw text and run regex validations to reject files containing executable tags.
rule Detect_Executable_Prompty_Frontmatter {
meta:
description = "Detects executable JS frontmatter blocks in .prompty files"
cve = "CVE-2026-53597"
severity = "High"
strings:
$js_tag = /^\s*---js\b/m
$javascript_tag = /^\s*---javascript\b/m
$prompt_indicator = "model:"
condition:
($js_tag or $javascript_tag) and $prompt_indicator
}Additionally, enforce strict container isolation and execution constraints. Run Node.js services under non-root service accounts with minimized filesystem permissions, and restrict external network egress to prevent unauthorized credential exfiltration or reverse shell connections.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N| Product | Affected Versions | Fixed Version |
|---|---|---|
@prompty/core Microsoft | >= 2.0.0-alpha.1, < 2.0.0-beta.3 | 2.0.0-beta.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| Attack Vector | Network (with User Interaction) |
| CVSS v4.0 | 8.7 (High) |
| EPSS Score | 0.0093 (Percentile: 56.62%) |
| Exploit Status | Proof of Concept (PoC) available |
| KEV Status | Not Listed |
The product constructs or refines all or part of a code segment using externally-influenced input, but does not sufficiently neutralize or escape code elements that can modify execution flow.
An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.
A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.
An improper input validation vulnerability (CWE-20) exists in vLLM versions 0.5.5 through 0.17.2 when processing multi-channel audio tracks. By relying on librosa's flat arithmetic mean instead of physical downmixing standards, vLLM blends sub-audible low-frequency or surround channels with equal weight. This enables an attacker to inject adversarial prompt sequences that bypass human moderation but are parsed clearly by speech-to-text models.
A memory unsoundness vulnerability exists in the Diesel ORM crate when deserializing SQLite databases from raw bytes. The flaw is caused by a failure to bind the lifetime of the input buffer to the lifetime of the connection object, resulting in a Use-After-Free condition in the underlying libsqlite3 C library when subsequent queries are executed.
CVE-2026-52870 is a high-severity Broken Object-Level Authorization (BOLA) / Missing Authorization vulnerability (CWE-862) discovered in the experimental tasks feature of the Model Context Protocol (MCP) Python SDK. Under affected versions (< 1.27.2), default handlers registered via server.experimental.enable_tasks() allowed connected clients to enumerate, access, and terminate active tasks belonging to other user sessions due to a lack of session ownership validation. This compromised multi-tenant isolation, allowing authenticated users to extract execution data and cancel running jobs across concurrent connections. The vulnerability has been resolved in version 1.27.2 through session-scoping of task identifiers and transport session pinning.
A high-severity privilege escalation and sandbox escape vulnerability exists in ArcadeDB Server prior to version 26.7.1. This flaw permits an authenticated user with read-only privileges to execute arbitrary JVM code in a sandboxed JavaScript context via the API command endpoint. By utilizing reflection on bound Java objects, an attacker can bypass the GraalVM guest environment's whitelist, access the Java ClassLoader, and perform arbitrary file reads on the host filesystem.