Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN170
_____________________________________________________________________

DATE                : 16/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running next-mdx-remote versions prior
                                      to 6.0.0.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155
_____________________________________________________________________

HCSEC-2026-01 - Arbitrary code execution in React server-side
rendering of untrusted MDX content

Bulletin ID: HCSEC-2026-01
Affected Products / Versions: next-mdx-remote from 4.3.0 up to 5.0.0, 
fixed in 6.0.0.
Publication Date: February 11, 2026


Summary
The serialize function used to compile MDX in next-mdx-remote is 
vulnerable to arbitrary code execution due to insufficient 
sanitization of MDX content. This vulnerability, CVE-2026-0969, is 
fixed in next-mdx-remote 6.0.0.


Background
next-mdx-remote is an open-source TypeScript library that allows MDX 
content from various sources to be rendered dynamically on the client 
or server.


Details
Allowing untrusted user MDX content with JavaScript expressions 
enabled may lead to remote code execution (RCE) due to improper 
sanitization. As of version 6.0.0, next-mdx-remote introduces a 
breaking change that disables JavaScript expressions by default 
(blockJS: true) for both serialize and compileMDX functions. When 
JavaScript expressions are enabled (blockJS: false), the new 
blockDangerousJS: true option (enabled by default) provides 
best-effort protection against dangerous operations like eval, 
Function, process, require, and other globals that could lead to 
arbitrary code execution.


Remediation
Deployments allowing untrusted user inputs to the compileMDX or 
serialize function from the next-mdx-remote library in a server 
environment should evaluate the risk associated with this issue and 
consider upgrading to next-mdx-remote 6.0.0.


Acknowledgement
This issue was identified by researchers at Sejong University.

We deeply appreciate any effort to coordinate disclosure of security 
vulnerabilities. For information about security at HashiCorp and the 
reporting of security vulnerabilities, please see 
https://hashicorp.com/security.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================