📂 Vulnerable Library - markdown-it-katex-4.0.1.tgz
Fast math support for markdown-it with KaTeX
Path to dependency file: /extensions/markdown-math/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
| CVE-2024-28243 |
🔴 High |
7.1 |
Not Defined |
< 1% |
katex-0.13.24.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-28245 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
katex-0.13.24.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-23207 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
katex-0.13.24.tgz |
Transitive |
N/A |
❌ |
| CVE-2024-28246 |
🟠 Medium |
5.1 |
Not Defined |
< 1% |
katex-0.13.24.tgz |
Transitive |
N/A |
❌ |
Details
🔴CVE-2024-28243
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
- markdown-it-katex-4.0.1.tgz (Root Library)
- ❌ katex-0.13.24.tgz (Vulnerable Library)
Vulnerability Details
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using "\edef" that causes a near-infinite loop, despite setting "maxExpand" to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 07:40 PM
URL: CVE-2024-28243
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-28245
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
- markdown-it-katex-4.0.1.tgz (Root Library)
- ❌ katex-0.13.24.tgz (Vulnerable Library)
Vulnerability Details
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using "\includegraphics" that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 07:53 PM
URL: CVE-2024-28245
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-23207
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
- markdown-it-katex-4.0.1.tgz (Root Library)
- ❌ katex-0.13.24.tgz (Vulnerable Library)
Vulnerability Details
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with "renderToString" could encounter malicious input using "\htmlData" that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the "trust" option, or set it to forbid "\htmlData" commands, forbid inputs containing the substring ""\htmlData"" and sanitize HTML output from KaTeX.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 17, 2025 09:25 PM
URL: CVE-2025-23207
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-cg87-wmx4-v546
Release Date: Jan 17, 2025 09:25 PM
Fix Resolution : katex - 0.16.21
🟠CVE-2024-28246
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
- markdown-it-katex-4.0.1.tgz (Root Library)
- ❌ katex-0.13.24.tgz (Vulnerable Library)
Vulnerability Details
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's "trust" option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate "javascript:" links in the output, even if the "trust" function tries to forbid this protocol via "trust: (context) => context.protocol !== 'javascript'". Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 08:00 PM
URL: CVE-2024-28246
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
📂 Vulnerable Library - markdown-it-katex-4.0.1.tgz
Fast math support for markdown-it with KaTeX
Path to dependency file: /extensions/markdown-math/package.json
Findings
Details
🔴CVE-2024-28243
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
Vulnerability Details
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using "\edef" that causes a near-infinite loop, despite setting "maxExpand" to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 07:40 PM
URL: CVE-2024-28243
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-28245
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
Vulnerability Details
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using "\includegraphics" that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 07:53 PM
URL: CVE-2024-28245
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-23207
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
Vulnerability Details
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with "renderToString" could encounter malicious input using "\htmlData" that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the "trust" option, or set it to forbid "\htmlData" commands, forbid inputs containing the substring ""\htmlData"" and sanitize HTML output from KaTeX.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 17, 2025 09:25 PM
URL: CVE-2025-23207
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-cg87-wmx4-v546
Release Date: Jan 17, 2025 09:25 PM
Fix Resolution : katex - 0.16.21
🟠CVE-2024-28246
Vulnerable Library - katex-0.13.24.tgz
Fast math typesetting for the web.
Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz
Path to dependency file: /extensions/markdown-math/package.json
Dependency Hierarchy:
Vulnerability Details
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's "trust" option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate "javascript:" links in the output, even if the "trust" function tries to forbid this protocol via "trust: (context) => context.protocol !== 'javascript'". Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 25, 2024 08:00 PM
URL: CVE-2024-28246
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :