Description
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g.
Recommendation
Update the katex package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.10.0-beta, < 0.16.10
- Patched version(s): 0.16.10
References
Related Issues
- KaTeX \htmlData does not validate attribute names - CVE-2025-23207
- KaTeX's `\includegraphics` does not escape filename - CVE-2024-28245
- KaTeX's maxExpand bypassed by Unicode sub/superscripts - CVE-2024-28244
- KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols - CVE-2024-28246
- Tags:
- npm
- katex
Anything's wrong? Let us know Last updated on March 25, 2024