CVE-2026-30121

Vulnerability

Remotion v4.0.409 contains an arbitrary file write vulnerability, as reported in [1]. The affected component is not publicly specified, but the issue occurs when Remotion Studio processes user-supplied paths without proper validation, enabling writes to unintended filesystem locations. The flaw was acknowledged by the vendor and fixed in version v4.0.410 [1].

Exploitation

To exploit the vulnerability, an attacker must have the ability to trigger a file write operation in a vulnerable Remotion Studio configuration, such as by providing a crafted path or filename during asset export or similar functionality. No authentication is explicitly required, but user interaction or a specific configuration may be necessary depending on the deployment model [1].

Impact

Successful exploitation allows the attacker to write files to arbitrary locations on the filesystem where the Remotion Studio process has write permissions. This could lead to overwriting critical files, injecting malicious content (e.g., HTML in a web directory), or other forms of compromise depending on the attacker’s goals and the environment. Both integrity and availability may be affected [1].

Mitigation

The vendor released a fix in Remotion v4.0.410 on 2026-01-26 [1]. All users running v4.0.409 or earlier should upgrade to v4.0.410 or later to remediate the issue. No workaround is documented in the available references [1].