MathJax Regular expression Denial of Service (ReDoS)

Severity:: High

Description

Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there is no risk.

Recommendation

No fix is available yet. Followings are affected versions:

<= 2.7.9

References

GHSA-v638-q856-grg8
CVE-2023-39663
CWE-1333
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387

Tags:: npm; mathjax

Anything's wrong? Let us know Last updated on January 31, 2024