Critical Mintlify Vulnerability Exposed Major Tech Giants' Data, Discovered by 16-Year-Old

Mintlify, an AI-powered documentation platform utilized by major tech companies such as Discord, Vercel, Twitter, Cursor, ETA, Cognition, Coinbase, Glean, Groq, and HubSpot, was found to have a critical supply chain vulnerability. The flaw originated from Mintlify’s use of MDX (Markdown with JSX) for rendering client documentation. A security researcher discovered that by injecting arbitrary JavaScript into MDX files, it was possible to execute code on Mintlify’s servers. This server-side execution capability led to Server-Side Request Forgery (SSRF) and, critically, the ability to exfiltrate sensitive environment variables, potentially containing API keys or other credentials belonging to Mintlify’s clients.

The vulnerability further enabled a massive Cross-Site Scripting (XSS) attack, granting access to cookies and other client-side data across affected documentation sites and potentially linked domains. The critical discovery was made by a 16-year-old security researcher named Daniel, known for his track record of identifying severe bugs in prominent platforms. Daniel responsibly reported the flaw, which Mintlify subsequently patched. For this significant disclosure, Daniel reportedly received $5,000 from Mintlify and an additional $4,000 from Discord, totaling $11,000 for the entire discovery. This compensation has sparked discussion within the security community regarding appropriate remuneration for such impactful vulnerabilities. The incident underscores the paramount importance of rigorous security assessments for third-party services and the critical value of responsible vulnerability disclosure.