CVE-2026-53597: Remote Code Execution in Microsoft prompty via Insecure gray-matter Parsing
Vulnerability ID: CVE-2026-53597
CVSS Score: 8.7
Published: 2026-07-17
CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.
TL;DR
Unauthenticated remote code execution via malicious .prompty frontmatter blocks that trigger evaluation in gray-matter.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-94: Improper Control of Generation of Code ('Code Injection')
- Attack Vector: Network (with User Interaction)
- CVSS v4.0: 8.7 (High)
- EPSS Score: 0.0093 (Percentile: 56.62%)
- Exploit Status: Proof of Concept (PoC) available
- KEV Status: Not Listed
Affected Systems
- Applications utilizing the @prompty/core TypeScript package to parse prompt files
- Node.js execution runtimes hosting prompty loading capabilities
- Prompt engineering and automated agent deployment environments using vulnerable prompty loaders
-
@prompty/core: >= 2.0.0-alpha.1, < 2.0.0-beta.3 (Fixed in:
2.0.0-beta.3)
Code Analysis
Commit: c27402d
Fix RCE flaw in TypeScript loader by explicitly overriding default gray-matter executable engines
@@ -79,7 +79,12 @@ export function defaultSaveContext(
function buildAgent(raw: string, filePath: string, options: LoadOptions): Prompty {
// 1. Split frontmatter + body
- const { data, content } = matter(raw);
+ const { data, content } = matter(raw, {
+ engines: {
+ js: { parse: rejectExecutableFrontmatter },
+ javascript: { parse: rejectExecutableFrontmatter },
+ },
+ });
Exploit Details
- GitHub Security Advisory: Advisory containing the vulnerability overview and replication methodology.
Mitigation Strategies
- Upgrade @prompty/core to version 2.0.0-beta.3 or later
- Implement raw file scanners to reject files with ---js or ---javascript frontmatter tags
- Enforce least-privilege principles for Node.js execution containers
- Limit runtime container network egress to authorized destinations only
Remediation Steps:
- Identify all projects referencing the npm package @prompty/core
- Run 'npm install @prompty/core@2.0.0-beta.3' or modify the package.json to pin the secure version
- Run 'npm audit' to verify that no vulnerable transitive dependencies remain in the dependency tree
- Deploy the static analysis YARA rule in CI/CD pipeline uploads to intercept malicious templates
References
- NVD - CVE-2026-53597 Details
- GitHub Security Advisory (GHSA-c4gh-rv8h-q9vw)
- Fix Commit (TypeScript Loader)
- OSV JSON Metadata Record
Read the full report for CVE-2026-53597 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)