Vulnerability  ·  2026-07-17

Prompty (.prompty LLM Prompt Format) — Executable Frontmatter Enables Code Execution via gray-matter

VulnerabilityHigh impactGlobalCVE-2026-53597
Microsoft's Prompty markdown-based LLM prompt format loader inherited gray-matter's executable frontmatter feature, letting a malicious .prompty file (e.g., shared or downloaded from a repo) run arbitrary JavaScript the moment it is parsed by an application.
Prompty files are meant to be portable, shareable prompt definitions for LLM applications; if a team pulls in a third-party .prompty file (e.g., from a shared prompt library or repo) expecting only a text template, they instead get arbitrary code execution — a supply-chain risk specific to the emerging prompt-as-code ecosystem.
The @prompty/core loader used the gray-matter library to parse .prompty frontmatter without disabling its executable 'js'/'javascript' frontmatter engines, so an attacker-controlled .prompty file containing JS frontmatter executes arbitrary JavaScript when loaded by the runtime.
@prompty/core TypeScript loader, 2.0.0-alpha.1 – 2.0.0-beta.3
Upgrade to Prompty 2.0.0-beta.3 or later, which disables executable frontmatter engines.
CVE Record / GitHub commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →