CVE-2025-68278

HIGH
2025-12-18 [email protected]
7.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 10, 2026 - 17:37 vuln.today
Patch Released
Apr 10, 2026 - 17:37 nvd
Patch available
PoC Detected
Apr 10, 2026 - 17:34 vuln.today
Public exploit code
CVE Published
Dec 18, 2025 - 16:15 nvd
HIGH 7.3

Tags

RCE Code Injection Tinacms Tinacms Cli Tinacms Graphql

Description

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue.

Analysis

Remote code execution in TinaCMS affects versions prior to 3.1.1, @tinacms/cli before 2.0.4, and @tinacms/graphql before 2.0.3. Authenticated attackers with content control over markdown files can execute arbitrary code through insecure gray-matter package usage. The vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:P), enabling full compromise of confidentiality, integrity, and availability in the vulnerable context. Publicly available exploit code exists, significantly increasing deployment risk for unpatched installations managing user-contributed markdown content.

Technical Context

CWE-94 code injection stems from unsafe gray-matter frontmatter parsing in markdown processing pipeline. The library permits YAML deserialization of attacker-controlled markdown headers without input sanitization, enabling constructor injection or prototype pollution leading to arbitrary Node.js code execution during content ingestion workflows.

Affected Products

TinaCMS (cpe:2.3:a:ssw:tinacms) versions <3.1.1, @tinacms/cli (cpe:2.3:a:ssw:tinacms/cli) versions <2.0.4, @tinacms/graphql (cpe:2.3:a:ssw:tinacms/graphql) versions <2.0.3, Node.js runtime environments.

Remediation

Vendor-released patches: upgrade TinaCMS to version 3.1.1 or later, @tinacms/cli to version 2.0.4 or later, and @tinacms/graphql to version 2.0.3 or later. All three packages must be updated simultaneously to eliminate exposure. Organizations unable to immediately patch should restrict markdown content editing permissions to fully trusted administrators only and implement strict content review workflows. Implement input validation on frontmatter fields if custom parsing exists. Consult GitHub Security Advisory GHSA-529f-9qwm-9628 (https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628) for complete vendor guidance and technical details on the gray-matter exploitation mechanism. Verify remediation commit fa7c27abef968e3f3a3e7d564f282bc566087569 is included in deployed versions.

Priority Score

56
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-68278 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy