High-Severity RCE Vulnerability Disclosed in next-mdx-remote

HashiCorp has disclosed a high-severity vulnerability in the next-mdx-remote library, a TypeScript library for rendering MDX content in Next.js applications, which can lead to arbitrary code execution when handling untrusted MDX content on the server. This vulnerability, identified as CVE-2026-0969, affects versions 4.3.0 up to, but not including, 6.0.0, and is due to insufficient sanitization of MDX content, particularly when JavaScript expressions are enabled. The issue is resolved in version 6.0.0, which introduces a default setting that disables JavaScript expressions, shifting the security posture from permissive to restrictive. This vulnerability impacts applications that compile untrusted user-supplied MDX content server-side, potentially exposing them to remote code execution. HashiCorp recommends upgrading to version 6.0.0 and credits researchers at Sejong University for the disclosure. Additionally, Socket has made Certified Patches available, which can be applied directly to affected versions without requiring a full upgrade.