Description
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g.
Recommendation
Update the katex package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.15.4, < 0.16.10
- Patched version(s): 0.16.10
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- parse-uri Regular expression Denial of Service (ReDoS) - CVE-2024-36751
- Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- Tags:
- npm
- katex
Anything's wrong? Let us know Last updated on March 25, 2024