Description
MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax.
Recommendation
Update the mathjax package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.7.4
- Patched version(s): 2.7.4
References
Related Issues
- Twitter-Post-Fetcher vulnerable to Use of Web Link to Untrusted Target with window.opener Access - CVE-2018-25058
- happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript - CVE-2025-62410
- Malicious PDF can inject JavaScript into PDF Viewer - CVE-2018-5158
- Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
- Tags:
- npm
- mathjax
Anything's wrong? Let us know Last updated on September 11, 2023