Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10900

rdme is vulnerable to Improper Control of Generation of Code ('Code Injection')

Improper Control of Generation of Code ('Code Injection')GHSA-f65r-8r74-m6v5 Published Dec 9, 2025

82

High Risk

This Affects:

JSrdme
9.0.0 - 9.2.2
Fixed in 9.2.3
10.0.0 - 10.5.4
Fixed in 10.6.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to its default JavaScript engine configuration in gray-matter. This configuration allows arbitrary JavaScript code execution during front matter parsing, as unsanitized input is processed without proper restrictions. An attacker can exploit this by creating a malicious file with embedded JavaScript in the front matter. If gray-matter parses this file with the JavaScript engine enabled, the code executes in the server context, compromising security.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

rdme is vulnerable to Improper Control of Generation of Code ('Code Injection') in versions 9.0.0 - 9.2.2 and 10.0.0 - 10.5.4.

How to fix this

Upgrade the rdme library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done