Tina CMS Gray-Matter Insecure Handling Leading to Arbitrary Code Execution Vulnerability

A vulnerability exists in Tina CMS versions prior to 3.1.1, as well as in @tinacms/cli versions prior to 2.0.4 and @tinacms/graphql versions prior to 2.0.3. The issue arises from Tina CMS using the gray-matter package in a way that allows attackers to execute arbitrary code. This exploitation can occur if an attacker can control the content of processed markdown files, such as blog posts. The gray-matter package, by default, executes JavaScript code in the front matter of markdown files. Tina CMS does not modify this behavior, leaving it vulnerable to code execution.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript code execution on the server where Tina CMS is hosted.

Reproduction

To reproduce this vulnerability, create a Tina CMS application using the command 'npx create-tina-app@latest'. Then, modify a blog post to include malicious front matter that executes JavaScript code, such as reading the contents of the password file. After uploading this file, start the Tina CMS server and observe the console, which will show the executed command's output, indicating successful exploitation.

Remediation

Users can upgrade to Tina CMS version 3.1.1, @tinacms/cli version 2.0.4, or @tinacms/graphql version 2.0.3 to address this vulnerability.