How severe is CVE-2022-25863?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2022-25863?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2022-25863 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

Related Vulnerabilities

CVE-2003-0791

CRITICAL

CVSS:9.8(Critical)

The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which...

CWE-5022003

CVE-2012-0911

CRITICAL

CVSS:9.8(Critical)

TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) print...

CWE-5022012

CVE-2012-4406

CRITICAL

CVSS:9.8(Critical)

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbi...

CWE-5022012

CVE-2013-1465

CRITICAL

CVSS:9.8(Critical)

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrate...

CWE-5022013

CVE-2013-4521

CRITICAL

CVSS:9.8(Critical)

RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to exec...

CWE-5022013

CVE-2014-1860

CRITICAL

CVSS:9.8(Critical)

Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities

CWE-5022014