CVE-2023-22491: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2023-22491) affects the gatsby-transformer-remark plugin versions prior to 5.25.1 and 6.3.2. The plugin was found to be vulnerable to JavaScript injection through its integration with the gray-matter npm package in its default configuration. This security issue was discovered and disclosed on January 11, 2023 (GitHub Advisory).

The vulnerability stems from the gatsby-transformer-remark plugin passing unsanitized input to the gray-matter npm package when operating in data mode (querying MarkdownRemark nodes via GraphQL). The issue is particularly concerning when processing files with untrusted or unsanitized input. The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High severity), with attack vector being Network, low attack complexity, low privileges required, and no user interaction needed (GitHub Advisory).

When exploited, this vulnerability allows injected JavaScript to execute in the context of the build server. The impact is significant with high confidentiality and integrity risks, though availability remains unaffected. A proof-of-concept exploit demonstrates the ability to execute system commands through child_process (GitHub Advisory).

The vulnerability has been patched in gatsby-transformer-remark versions 5.25.1 and 6.3.2 by disabling the gray-matter JavaScript Frontmatter engine by default. A new option, JSFrontmatterEngine, has been introduced and is set to false by default. For users who must enable JSFrontmatterEngine, input must be sanitized before processing. For those using older versions, input sanitization is recommended as a workaround (GitHub Advisory).