Security advisory HCSEC-2026-01 revealed a critical vulnerability in the next-mdx-remote library that allows attackers to execute arbitrary code on servers rendering untrusted MDX content.
Tracked as CVE-2026-0969, the issue affects versions 4.3.0 through 5.0.0 and is fixed in 6.0.0. Next-mdx-remote is a popular open-source TypeScript library for Next.js based React apps.
It lets developers pull MDX (Markdown with JSX) from databases, APIs, or user input and render it dynamically on the server or client.
How the Attack Works
MDX mixes Markdown’s simplicity with React components, making it great for blogs, docs, and user-generated content.
The problem lies in the library’s serialize and compileMDX functions. These lacked proper sanitization for JavaScript expressions in untrusted MDX.
AspectInformationCVE IDCVE-2026-0969Affectednext-mdx-remote 4.3.0 to 5.0.0CVSS ScoreCritical (estimated 9.8/10)ImpactRCE on SSR with untrusted MDX
Attackers could sneak in malicious code such as eval(), Function(), or require() hidden in curly braces {}. When the server processes this during server-side rendering (SSR), it executes the code with full server privileges.
This leads to remote code execution (RCE), potentially letting hackers steal data, install malware, or take over the server.
For example, an attacker submits MDX like: {require(‘child_process’).execSync(‘rm -rf /’)}. If JavaScript expressions are enabled (the default), the server runs them blindly.
Version 6.0.0 brings breaking changes: JavaScript expressions are now blocked by default (blockJS: true).
When enabled (blockJS: false), a new blockDangerousJS: true option (default on) filters risky globals like process, eval, and require.
Upgrade to next-mdx-remote 6.0.0 immediately if you handle untrusted MDX on servers. Audit code for compileMDX or serialize calls.
Never render user-supplied MDX without sanitization. Use libraries like remark-rehype for extra safety. Test in staging to catch breaks from the defaults.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Vulnerability in Next-Mdx-Remote Allows Arbitrary Code Execution in React Server-Side Rendering appeared first on Cyber Security News.
