**Hacking Discord, Vercel, and More with One Easy Trick**

As a journalist, I was intrigued by a recent blog post collaboration between three security researchers: myself, HackerMon, and MDL. We discovered a series of vulnerabilities in Mintlify, a B2B SaaS documentation platform used by several major companies, including Discord, Vercel, and Twitter.

**The Discovery**

It all started when I was notified that Discord had switched to using Mintlify as its documentation platform. I took another look at the company, now that they're bigger, and wondered how their customers' documentation was being rendered on the server-side for static page generation. Mintlify uses MDX (a markup language that combines JSX with Markdown) to render customer-provided documents.

**The Vulnerability**

I soon realized that nothing prevented us from making a JSX expression in an MDX file that evaluated code on the server. So, I tried it out with a simple payload to see what would happen. To my surprise, I received a request from a Vercel/Amazon IP address. It seemed that Mintlify was using their Next.js app to render the documentation.

**The Exploitation**

I quickly wrote a script to exfiltrate some data, including environment variables and app files. What I got back was shocking: we had full access to the server-side environment of their main documentation app. Alongside this, we could poison the Next.js cache for everyone, allowing mass XSS (Cross-Site Scripting) attacks on any docs site.

**The Impact**

We realized that we could supply chain attack various big Fortune 500 companies, including but not limited to:

* Discord * Vercel * Twitter * Cursor

And many more. The impact was huge, and it's astonishing that most companies don't properly scope cookies or have their documentation on a subpath.

**The Patch Bypass**

After Mintlify patched the targeted XSS via static, I took another look at the code for the route. I had an idea: nothing prevents us from adding URL-encoded path traversal in a part of a path to climb up the CDN path. I crafted a URL and tested it, and... the beautiful alert page appeared again.

**Additional Vulnerabilities**

Alongside this, I found a few non-critical vulnerabilities that don't deserve an entire section:

* Add a malicious SVG file to your repository, wait for deployment, and access it on any Mintlify-provided documentation/custom domain with the path `/ _mintlify/static/evascoolcompany/xss.svg` or similar.

**The Aftermath**

After we got in contact with Mintlify, everything was patched very swiftly. I was awarded $5,000 USD for my efforts and findings. HackerMon and MDL also wrote about their experiences and discoveries in separate blog posts.

This series of vulnerabilities had a huge impact, and it's crucial that companies take steps to secure their documentation platforms and prevent similar attacks from happening in the future.

**Resources**

* [HackerMon's Blog Post](link) * [MDL's Blog Post](link)

Note: The original article has been modified for better readability and to adhere to journalistic standards.