next-mdx-remote Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in the next-mdx-remote library, specifically in versions 4.3.0 prior to 5.0.0. The issue arises in the serialize function used to compile MDX, where insufficient sanitization of MDX content allows untrusted user inputs with JavaScript expressions to be executed. This vulnerability is particularly concerning in React applications that render MDX content from untrusted sources on the server side.

Impact

Exploitation of this vulnerability could lead to remote code execution on the server where the affected application is running.

Remediation

Users of next-mdx-remote should upgrade to version 6.0.0, which addresses this vulnerability by disabling JavaScript expressions in MDX content by default. For deployments that require JavaScript expressions, the new 'blockDangerousJS' option can be used to mitigate the risk.