KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols
- Severity:
- Medium
Description
Code that uses KaTeX’s trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol.
Recommendation
Update the katex package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.11.0, < 0.16.10
- Patched version(s): 0.16.10
References
Related Issues
- @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck - CVE-2026-39397
- KaTeX's `\includegraphics` does not escape filename - CVE-2024-28245
- Vditor allows Cross-site Scripting via an attribute of an `A` element - CVE-2024-34449
- DOMPurify allows tampering by prototype pollution - CVE-2024-45801
You might also like:
- Tags:
- npm
- katex
Anything's wrong? Let us know Last updated on March 25, 2024