CVE-2026-53597: @prompty/core Arbitrary Code Execution via JavaScript Frontmatter
A malicious .prompty file using a JavaScript frontmatter block could execute arbitrary code in the host Node.js process the moment the file was loaded, because the TypeScript loader passed file conten
The problem
The @prompty/core v2 TypeScript loader used the gray-matter library to parse .prompty file frontmatter. gray-matter supports a ---js delimiter that evaluates the frontmatter body as JavaScript at parse time. The loader did not override the js or javascript engines, so any attacker-supplied .prompty file could trigger arbitrary Node.js code execution just by being loaded.
The impact is immediate and requires no further user interaction beyond the application loading the file. Applications that accept user-supplied prompt paths, process prompt bundles from third-party sources, or load .prompty files from less-trusted directories are directly exposed.
Proof of concept
A working proof-of-concept for CVE-2026-53597 in @prompty/core, with the exact payload below.
---js
((require("child_process")).execSync("id > /tmp/pwned"))
---
This is the prompt body.gray-matter's JS frontmatter engine calls Node's vm.runInThisContext (effectively eval) on the block between ---js and ---. The prompty loader called matter(content) with no options, so gray-matter used its defaults, which include js and javascript as active engines.
Placing arbitrary Node.js code inside ---js ... --- caused it to run synchronously during frontmatter parsing, before any prompt logic executed.
The patch commit c27402da explicitly overrides the js and javascript engine entries in the gray-matter options object to functions that throw an error, rejecting executable frontmatter entirely. A regression test was added to verify that ---js content is rejected and not evaluated.
The root cause is CWE-94: Improper Control of Generation of Code.
The fix
Upgrade @prompty/core to 2.0.0-beta.3 or later. The fix (commit c27402da2487075be577f06aa79df627fb9d6853) overrides the gray-matter js and javascript engines to throw on any attempt to use executable frontmatter in a .prompty file. Prompty frontmatter is YAML-only; no legitimate use case requires ---js blocks.
Related research
- critical · 9.6TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import
- high · 8.8CVE-2026-53810CVE-2026-53810: openclaw Marketplace Runtime Extension Metadata Code Injection
- highCVE-2026-55177CVE-2026-55177: CloudTAK Authenticated Full-Read SSRF in /api/esri Routes
- high · 8.8CVE-2026-54504CVE-2026-54504: @andrea9293/mcp-documentation-server Unauthenticated Network API Exposure