gatsby-transformer-remark vulnerable to unsanitized JavaScript code injection
Description
CVE-2023-22491: JavaScript injection in Gatsby's gatsby-transformer-remark plugin via unsanitized Markdown frontmatter, leading to remote code execution on the build server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-22491: JavaScript injection in Gatsby's gatsby-transformer-remark plugin via unsanitized Markdown frontmatter, leading to remote code execution on the build server.
Vulnerability
Overview
CVE-2023-22491 is a JavaScript injection vulnerability in the Gatsby framework's gatsby-transformer-remark plugin. The plugin processes Markdown files by passing user-controlled input through the gray-matter npm package, which, in its default configuration, allows executing JavaScript embedded in the Markdown frontmatter [1]. This means that if an attacker can supply content to a Markdown file processed by the plugin—for example, through a CMS integration or user-submitted data—they can inject arbitrary JavaScript code that will be executed on the build server during the Gatsby build process [3].
Exploitation
An attacker does not need any authentication, but they must be able to contribute untrusted content that ends up in a Markdown file processed by gatsby-transformer-remark. This is often possible when a Gatsby site accepts data from external sources (e.g., headless CMS or user uploads) without sanitizing the frontmatter [1]. The vulnerability is triggered when the plugin queries MarkdownRemark nodes via GraphQL in data mode. A sample payload uses the gray-matter JavaScript frontmatter engine to execute arbitrary system commands, as demonstrated in the advisory [3].
Impact
Successful exploitation leads to remote code execution in the context of the Gatsby build server. An attacker could execute arbitrary system commands, potentially steal environment variables, modify static assets, compromise secrets, or pivot to internal systems accessible from the build environment [1][3]. Since the build process often runs with elevated privileges to access source code repositories and deployment targets, this constitutes a high-severity risk (CVSS 8.1) [1].
Mitigation
The gatsby-transformer-remark plugin versions 5.25.1 and 6.3.2 include a patch that disables the vulnerable gray-matter JavaScript frontmatter engine by default. Users should upgrade to these patched versions or later. As a workaround, if upgrading is not immediately possible, any input passed to the plugin must be sanitized to strip malicious frontmatter before processing [3]. It is strongly recommended that all Gatsby projects keep plugins updated to receive timely security fixes [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gatsby-transformer-remarknpm | >= 6.0.0, < 6.3.2 | 6.3.2 |
gatsby-transformer-remarknpm | < 5.25.1 | 5.25.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7ch4-rr99-cqcwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22491ghsaADVISORY
- github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.