Skip to content

Remove RCE-vulnerable JavaScript engine (CWE-94)#182

Open
MorielHarush wants to merge 1 commit intojonschlinkert:masterfrom
MorielHarush:master
Open

Remove RCE-vulnerable JavaScript engine (CWE-94)#182
MorielHarush wants to merge 1 commit intojonschlinkert:masterfrom
MorielHarush:master

Conversation

@MorielHarush
Copy link

@MorielHarush MorielHarush commented Mar 10, 2026

Description:
This PR removes the javascript engine from lib/engines.js. The current implementation uses eval(), allowing for Remote Code Execution (RCE) by default.

The Vulnerability:
gray-matter automatically identifies the engine from the delimiter (e.g., ---javascript). Since the javascript engine is registered in the core library, an attacker can execute arbitrary system commands simply by providing a malicious string to the matter() function—even with zero configuration from the developer.

Proof of Concept (PoC):

JavaScript
const matter = require('gray-matter');
const malicious = `---javascript
require('child_process').execSync('id').toString()
---
Hello world`;
const result = matter(malicious); 
console.log('[RCE] Command output:', result.data);
image

Impact:
Any application using gray-matter to parse user-supplied content is vulnerable to full system compromise. This is a critical security flaw (CWE-94: Improper Control of Generation of Code).

Proposed Changes:

  • Removed the javascript engine from lib/engines.js.
  • Users who require dynamic front-matter should now be required to implement their own (secure) parser and pass it explicitly in the options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MorielHarush