Full Report
Mintlify is a b2b software as a service documentation platform that allows companies to make documentation via MDX files then host them with styling. Some of their clients include Discord, Twitter, and Vercel. The MDX to render docs is provided by their customers. The author was curious on how the pages were rendered on the server-side for static page generation for search engines/bots. MDX is effectively JSX (react) combined with markdown. So, you can literally add js expressions in the markdown. So, they added a simple payload to just eval things on the server and it worked! After some work, they were able to extract all of the environment variables from a serverless environment. This attack could be used to enable mass XSS, defacement, and other issues. Yikes! The route /_mintlify/static/[subdomain]/ is used to allow static images to be loaded. Surprisingly, websites will load from other domains! The author created an SVG containing an XSS payload and shared the link https://discord.com/_mintlify/static/evascoolcompany/xss.svg on Discord. This is XSS on everything now. This becomes particularly problematic because cookies are unlikely to be scoped per subdomain. Mintlify patched the targeted XSS via ensuring that it was an absolute path. This was vulnerable to a directory traversal though. On top of these issues, they found an IDOR that exposed GitHub repo fields for private repos to the GitHub API. Additionally, the previously deployed versions on Vercel were accessible via direct branch references. So, the exploit could be run on here still. After all of this effort, they were rewarded with 5K from Mintlify. There was another hacker involved with this: MDL. Instead of just popping an alert via XSS, they wanted to create MORE impact on the specific platforms. Some companies treat third-party vendors as untrusted input, and some grant them admin access to everything. So, they wanted to test the XSS from above to take this further. Some companies had an extensive CORS policy that whitelisted all *.company.com. In this case, it's possible to send requests on the user's behalf on the website. This was made even worse by companies that scoped the authentication cookies to the entire domain namespace. Finally, most companies didn't bother configuring CSP's because it's just documentation. In the other camp was explicit distrust. The best defense was explicit domain separation. Some companies didn't scope cookies to the entire domain, limiting the impact too. They planned to disclose on their websites, based on the findings, who was vulnerable and who paid out. However, after getting approval, they got blasted by lawyers with threatening letters, so they decided to anonymize it. I have always found bugs in third-party components being reported to bug bounty programs to be hit or miss on payouts. On one hand, the goal of a bug bounty program is to find anything that can negatively affect customers. On the otherhand, the company did nothing wrong and is being punished for a bug in somebody else's code. If we go on impact and impact alone, it makes sense to pay out. Otherwise, no research would be done into smaller products/open source things.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Mintlify Documentation Platform
## CVE Details
- **CVE ID:**
- **CVE-2025-67843:** Server-Side MDX Remote Code Execution (RCE)
- **CVE-2025-67842:** Cross-Domain Static Asset XSS
- **CVE-2025-67845:** Directory Traversal (XSS Patch Bypass)
- **CVE-2025-67844:** GitHub Repository IDOR
- **CVE-2025-67846:** Deployment Downgrade Attack
- **CVSS Score:** 9.8 (Critical - Estimated for RCE/Mass XSS)
- **CWE:** CWE-94 (Code Injection), CWE-79 (XSS), CWE-22 (Path Traversal), CWE-639 (IDOR)
## Affected Systems
- **Products:** Mintlify B2B SaaS Documentation Platform
- **Versions:** All versions prior to the 2024/2025 remediation updates.
- **Configurations:** Companies hosting documentation via Mintlify, particularly those using custom subdomains or integrated GitHub repositories (e.g., Discord, Twitter, Vercel).
## Vulnerability Description
Mintlify utilized MDX (JSX combined with Markdown) to render documentation. The investigation revealed several critical security flaws:
1. **Server-Side MDX Injection:** The platform failed to sanitize JavaScript expressions within MDX files during Server-Side Rendering (SSR). This allowed attackers to execute arbitrary code in the serverless environment (Vercel/AWS).
2. **Cross-Tenant Static Asset Loading:** The route `/_mintlify/static/[subdomain]/` allowed any domain to load assets from any other Mintlify tenant. An attacker could host a malicious SVG on their own Mintlify instance and trigger XSS on a victim's domain (e.g., `discord.com/_mintlify/static/attacker/xss.svg`).
3. **Path Traversal:** An initial patch for the XSS was bypassed using directory traversal techniques to reach restricted internal CDN paths.
4. **IDOR:** The GitHub integration lacked proper authorization checks, allowing users to expose private repository fields/metadata via the API.
5. **Vercel Deployment Persistence:** Older, vulnerable versions of the application remained accessible via direct Vercel branch/deployment URLs, allowing "downgrade" style exploitation.
## Exploitation
- **Status:** PoC available; reported via Bug Bounty (Rewarded $5,000).
- **Complexity:** Low to Medium.
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** Critical (Exfiltration of environment variables, API tokens, and private GitHub repo metadata).
- **Integrity:** Critical (Mass XSS, documentation defacement, and cache poisoning across all customer sites).
- **Availability:** High (Potential for DoS via resource-heavy PDF exports or path validation exhaustion).
## Remediation
### Patches
- **RCE Fix:** Disabled parsing of complex JavaScript expressions during SSR; execution is now limited to the client-side.
- **XSS Fix:** Implemented strict origin checks to ensure assets are only loaded from the owner's organization.
- **Traversal Fix:** Added validation to sanitize and normalize paths for static assets.
- **IDOR Fix:** Enhanced GitHub App installation checks to verify repository ownership.
### Workarounds
- **Domain Separation:** Use isolated domains for documentation (e.g., `company-docs.com`) rather than subdirectories or subdomains of primary applications.
- **Cookie Scoping:** Ensure sensitive authentication cookies are scoped to specific subdomains rather than the entire wildcard domain (e.g., `app.company.com` instead of `.company.com`).
- **CSP:** Implement a strict Content Security Policy (CSP) to prevent unauthorized script execution and exfiltration.
## Detection
- **Indicators of Compromise:** Unusual POST requests to unknown external domains from serverless functions; SVG files containing `<script>` or `onload` attributes in documentation repositories.
- **Detection Methods:** Monitor for directory traversal patterns (unauthorized `../`) in logs for the `/_mintlify/static/` endpoint.
## References
- **Vendor:** hxxps://mintlify[.]com
- **Researcher Report:** hxxps://kibty[.]town/blog/mintlify/
- **Collaborator Details:** hxxps://heartbreak[.]ing/ and hxxps://gist[.]github[.]com/hackermondev/5e2cdc32849405fff6b46957747a2d28