RCE in next-mdx-remote When Server-Side Rendering Untrusted MDX
HashiCorp disclosed HCSEC-2026-01 (tracked as CVE-2026-0969 / GHSA-g4xw-jxrg-5f6m) affecting the next-mdx-remote library used by Next.js applications to render MDX content. The flaw can lead to arbitrary code execution when applications server-side render untrusted MDX due to insufficient sanitization in the serialize compilation path, particularly when JavaScript expressions in MDX are permitted; the issue is categorized as CWE-94 (code injection) and reported with a CVSS 3.1 score of 8.8 (High).
Guidance from the Canadian Centre for Cyber Security and third-party analysis both recommend updating affected deployments. Impacted versions are reported as 4.3.0 through 5.0.0 (Cyber Centre advisory) and 4.3.0 up to but not including 6.0.0 (Socket), with remediation available in 6.0.0; the 6.0.0 release also changes defaults to reduce exposure by disabling JavaScript expressions by default (blockJS: true) and adding additional guardrails when dangerous JS is explicitly enabled (e.g., best-effort blocking of constructs like eval, Function, process, and require).
Timeline
Feb 12, 2026
Canadian Centre for Cyber Security issues notice on the advisory
On 2026-02-12, the Canadian Centre for Cyber Security published alert AV26-123 referencing HashiCorp's advisory and urging users and administrators to review the guidance and apply necessary updates. The notice highlighted the arbitrary code execution risk in affected next-mdx-remote versions.
Feb 11, 2026
next-mdx-remote 6.0.0 released with protections enabled by default
HashiCorp reported the vulnerability is fixed in next-mdx-remote 6.0.0. The release changes defaults to disable JavaScript expressions by default and adds additional protections when expressions are explicitly enabled.
Feb 11, 2026
HashiCorp discloses CVE-2026-0969 in next-mdx-remote
On 2026-02-11, HashiCorp published advisory HCSEC-2026-01 describing a high-severity arbitrary code execution vulnerability in next-mdx-remote when untrusted MDX is server-side rendered. The issue affects versions starting at 4.3.0 and was assigned CVE-2026-0969 / GHSA-g4xw-jxrg-5f6m.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Critical React Server Components Flaws Expose Next.js App Router Deployments
Next.js disclosed a **critical remote code execution** vulnerability affecting applications that use the **App Router**, tracing the issue to the upstream React Server Components protocol as `CVE-2025-55182` and the downstream Next.js impact as `CVE-2025-66478`. The flaw carries a **CVSS 10.0** rating and can be triggered by attacker-controlled requests in unpatched environments, with maintainers warning that **no workaround exists**. Affected releases include multiple `15.x` and `16.x` branches and `14.3.0-canary.77` and later canary builds, while `13.x`, stable `14.x`, **Pages Router** applications, and the **Edge Runtime** were reported as unaffected. Next.js issued patched releases, published the `fix-react2shell-next` npm remediation tool, and advised organizations whose applications were online and unpatched at the disclosed cutoff to **rotate secrets after patching**. The company later reported two additional upstream React Server Components issues with downstream impact on Next.js App Router deployments: `CVE-2025-55184`, a **high-severity denial-of-service** flaw that can hang the server process through a crafted HTTP request, and `CVE-2025-55183`, a **medium-severity source code exposure** bug that can cause a Server Function to return compiled source code from other Server Functions. Next.js said neither new issue enables remote code execution and that the earlier React2Shell mitigation remains effective, but it also acknowledged that the initial fix for `CVE-2025-55184` was incomplete and was superseded by `CVE-2025-67779`, forcing some users to upgrade again. The affected range spans App Router deployments from `13.3` across several `14.x`, `15.x`, and `16.x` release lines, and the vendor again said **Pages Router** applications are not affected and urged immediate upgrades to the latest patched versions.
1 months ago
High-Severity SQL Server RCE and Auth0 Next.js Token Leak Disclosed
A high-severity vulnerability tracked as **`CVE-2026-33120`** was disclosed in Microsoft SQL Server, where an untrusted pointer dereference can allow **remote code execution** by an authenticated attacker with low privileges. The flaw is rated **CVSS 8.8** and can be exploited over the network without user interaction, with potential impact across confidentiality, integrity, and availability. Successful exploitation could lead to **system-level compromise** of the database server, enabling database theft, credential dumping, lateral movement, and possible tenant-isolation escape in shared or multi-tenant deployments. A separate disclosure, **`CVE-2026-40155`**, affects the **Auth0 Next.js SDK** and stems from a race condition in the DPoP proxy fetcher that can expose one user’s session identifiers, access tokens, or API response data to another concurrent authenticated user. The issue is rated **CVSS 5.4** and is considered harder to exploit because it depends on precise timing, DPoP challenges, and concurrent requests reaching the application tier. Its impact is focused on **data confidentiality**, with low integrity impact, no availability impact, a low EPSS score, and no listing in CISA’s Known Exploited Vulnerabilities catalog.
1 weeks ago
Critical Unauthenticated RCE Vulnerabilities in React Server Components and Next.js
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182, has been discovered in React Server Components, affecting core React packages (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`) in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of payloads sent to React Server Function endpoints, allowing attackers to execute arbitrary code on the server without authentication. This vulnerability also impacts frameworks and bundlers that integrate React Server Components, including Next.js (assigned CVE-2025-66478), Vite, Parcel, React Router, RedwoodSDK, and Waku. Even default configurations and newly generated Next.js applications are vulnerable, and exploitation requires only a crafted HTTP request, with no developer error or special setup needed. Immediate patching is strongly advised, as the vulnerability is rated CVSS 10.0 (critical) and has been shown to be highly reliable in exploitation tests. Patched versions are available for React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7), and users are urged to upgrade all affected packages and dependencies. Some hosting providers, such as Vercel, have implemented temporary platform-level mitigations, but these are not a substitute for patching. Security researchers estimate that up to 39% of cloud environments may contain vulnerable instances, underscoring the urgency of remediation across the React and Next.js ecosystem.
1 months ago