MathJax Regular expression Denial of Service (ReDoS)

Description

Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there is no risk.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.7.9

References

• GHSA-v638-q856-grg8
• CVE-2023-39663
• CWE-1333
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
• Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
• jsPDF Bypass Regular Expression Denial of Service (ReDoS) - CVE-2025-29907
• Marked allows Regular Expression Denial of Service (ReDoS) attacks - CVE-2018-25110

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

mathjax