SCA: security update for gatsby-transformer-remark (GHSA-7ch4-rr99-cqcw)

medium Tenable Cloud Security Plugin ID 411996

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Gatsby is a free and open source framework based on React that helps developers build websites and apps.
The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-
matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless
input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data
mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build
server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added
into a file processed by gatsby-transformer-remark. A patch has been introduced in `gatsby-transformer-
[email protected]` and `[email protected]` which mitigates the issue by disabling the `gray-
matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark`
must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for
projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest
security updates and bug fixes are received in a timely manner. (CVE-2023-22491)

See Also

https://github.com/advisories/GHSA-7ch4-rr99-cqcw

Plugin Details

Severity: Medium

ID: 411996

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-22491

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/11/2023

Vulnerability Publication Date: 1/11/2023

Reference Information

CVE: CVE-2023-22491