{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T23:56:29.197","vulnerabilities":[{"cve":{"id":"CVE-2023-22491","sourceIdentifier":"security-advisories@github.com","published":"2023-01-13T19:15:12.407","lastModified":"2025-03-11T14:15:16.767","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized.  The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL).  Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. A patch has been introduced in `gatsby-transformer-remark@5.25.1` and `gatsby-transformer-remark@6.3.2` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for  projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner."},{"lang":"es","value":"Gatsby es un framework gratuito y de código abierto basado en React que ayuda a los desarrolladores a crear sitios web y aplicaciones. El complemento gatsby-transformer-remark anterior a las versiones 5.25.1 y 6.3.2 pasa la entrada al paquete npm `gray-matter`, que es vulnerable a la inyección de JavaScript en su configuración predeterminada, a menos que la entrada esté desinfectada. La vulnerabilidad está presente en gatsby-transformer-remark cuando se pasa entrada en modo de datos (consultando nodos MarkdownRemark a través de GraphQL). El JavaScript inyectado se ejecuta en el contexto del servidor de compilación. Para explotar esta vulnerabilidad, la entrada no confiable/no desinfectada tendría que obtenerse o agregarse a un archivo procesado por gatsby-transformer-remark. Se introdujo un parche en `gatsby-transformer-remark@5.25.1` y `gatsby-transformer-remark@6.3.2` que mitiga el problema al deshabilitar el motor JavaScript Frontmatter de `materia gris`. Como workaround, si se debe utilizar una versión anterior de `gatsby-transformer-remark`, la entrada pasada al complemento debe desinfectarse antes del procesamiento. Se recomienda que los proyectos actualicen a la última versión principal de todos los complementos de Gatsby para garantizar que las últimas actualizaciones de seguridad y correcciones de errores se reciban de manera oportuna."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-89"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gatsbyjs:gatsby:*:*:*:*:*:node.js:*:*","versionEndExcluding":"5.25.1","matchCriteriaId":"A4C7E5A6-DB6C-466C-B29B-77AE0F949F31"},{"vulnerable":true,"criteria":"cpe:2.3:a:gatsbyjs:gatsby:6.3.1:*:*:*:*:node.js:*:*","matchCriteriaId":"905C5A4D-1415-4854-A55E-0D31E85CB048"}]}]}],"references":[{"url":"https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}}]}