Description
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g.
Recommendation
Update the katex package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.15.4, < 0.16.10
- Patched version(s): 0.16.10
References
Related Issues
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- Strapi is vulnerable to Insufficient Session Expiration - CVE-2025-3930
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- Tags:
- npm
- katex
Anything's wrong? Let us know Last updated on March 25, 2024