DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68278: TinaCMS: How a Blog Post Becomes a Beachhead (CVE-2025-68278)

#security #cve #cybersecurity

TinaCMS: How a Blog Post Becomes a Beachhead (CVE-2025-68278)

Vulnerability ID: CVE-2025-68278
CVSS Score: 7.3
Published: 2025-12-18

CVE-2025-68278 is a critical Remote Code Execution (RCE) vulnerability in TinaCMS, a popular headless CMS. The flaw stems from its dependency, the gray-matter library, which, in a stunning display of optimism, defaults to executing JavaScript or CoffeeScript found in markdown frontmatter. This allows an attacker with permission to upload a seemingly harmless markdown file to gain complete control of the server, turning a simple content update into a full-scale system compromise. The fix involves explicitly disabling these dangerous 'features,' reminding us that sometimes the most helpful libraries are the ones holding a loaded gun.

TL;DR

A vulnerability in TinaCMS allows attackers to execute code on the server by crafting a malicious markdown file. The issue is caused by the gray-matter library, which processes JavaScript in frontmatter by default. Uploading a file with ---js delimiters leads to RCE. Update to patched versions immediately to disable this functionality.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • Weakness: Improper Control of Generation of Code ('Code Injection')
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • CVSS v4.0 Score: 7.3 (High)
  • EPSS Score: 0.08% (Low Probability)
  • Exploit Status: Proof-of-Concept Available
  • CISA KEV: No

Affected Systems

  • TinaCMS
  • @tinacms/cli
  • @tinacms/graphql
  • tinacms: < 3.1.1 (Fixed in: 3.1.1)
  • @tinacms/cli: < 2.0.4 (Fixed in: 2.0.4)
  • @tinacms/graphql: < 2.0.3 (Fixed in: 2.0.3)

Code Analysis

Commit: fa7c27a

fix: Prevent JavaScript and CoffeeScript execution in frontmatter (#6268)

Exploit Details

  • Vulners (from GHSA): Provides a clear Proof-of-Concept demonstrating RCE by reading /etc/passwd via a crafted markdown file.

Mitigation Strategies

  • Upgrade to the latest patched versions of TinaCMS packages.
  • Explicitly disable dangerous features in third-party libraries.
  • Implement server-side input validation to reject markdown files containing executable frontmatter delimiters like ---js or ---coffee.
  • Run the application with the principle of least privilege to minimize the impact of a potential compromise.

Remediation Steps:

  1. Update tinacms to version 3.1.1 or later.
  2. Update @tinacms/cli to version 2.0.4 or later.
  3. Update @tinacms/graphql to version 2.0.3 or later.
  4. Run npm audit or yarn audit to ensure no vulnerable versions remain in your dependency tree.
  5. Review existing markdown content for any files using the now-forbidden frontmatter types and migrate them to YAML, JSON, or TOML.

References

Read the full report for CVE-2025-68278 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)