Description
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g.
Recommendation
Update the katex package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.12.0, < 0.16.10
- Patched version(s): 0.16.10
References
Related Issues
- KaTeX's maxExpand bypassed by Unicode sub/superscripts - CVE-2024-28244
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- KaTeX's `\includegraphics` does not escape filename - CVE-2024-28245
- KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols - CVE-2024-28246
You might also like:
- Tags:
- npm
- katex
Anything's wrong? Let us know Last updated on February 05, 2026


