Description
Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.
Recommendation
Update the mathlive package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.103.0
- Patched version(s): 0.104.0
References
Related Issues
- Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
- JS Html Sanitizer allows XSS when used with contentEditable - CVE-2025-29771
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering - CVE-2025-54075
- Tags:
- npm
- mathlive
Anything's wrong? Let us know Last updated on April 02, 2025