Skip to content

markdown-it-katex-4.0.1.tgz: 4 vulnerabilities (highest severity is: 7.1) [169] #22

Description

@renovate
📂 Vulnerable Library - markdown-it-katex-4.0.1.tgz

Fast math support for markdown-it with KaTeX

Path to dependency file: /extensions/markdown-math/package.json

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available
CVE-2024-28243 🔴 High 7.1 Not Defined < 1% katex-0.13.24.tgz Transitive N/A
CVE-2024-28245 🟠 Medium 5.3 Not Defined < 1% katex-0.13.24.tgz Transitive N/A
CVE-2025-23207 🟠 Medium 5.3 Not Defined < 1% katex-0.13.24.tgz Transitive N/A
CVE-2024-28246 🟠 Medium 5.1 Not Defined < 1% katex-0.13.24.tgz Transitive N/A

Details

🔴CVE-2024-28243

Vulnerable Library - katex-0.13.24.tgz

Fast math typesetting for the web.

Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz

Path to dependency file: /extensions/markdown-math/package.json

Dependency Hierarchy:

  • markdown-it-katex-4.0.1.tgz (Root Library)
    • katex-0.13.24.tgz (Vulnerable Library)

Vulnerability Details

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using "\edef" that causes a near-infinite loop, despite setting "maxExpand" to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Mar 25, 2024 07:40 PM

URL: CVE-2024-28243

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1


Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟠CVE-2024-28245

Vulnerable Library - katex-0.13.24.tgz

Fast math typesetting for the web.

Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz

Path to dependency file: /extensions/markdown-math/package.json

Dependency Hierarchy:

  • markdown-it-katex-4.0.1.tgz (Root Library)
    • katex-0.13.24.tgz (Vulnerable Library)

Vulnerability Details

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using "\includegraphics" that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Mar 25, 2024 07:53 PM

URL: CVE-2024-28245

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.3


Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟠CVE-2025-23207

Vulnerable Library - katex-0.13.24.tgz

Fast math typesetting for the web.

Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz

Path to dependency file: /extensions/markdown-math/package.json

Dependency Hierarchy:

  • markdown-it-katex-4.0.1.tgz (Root Library)
    • katex-0.13.24.tgz (Vulnerable Library)

Vulnerability Details

KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with "renderToString" could encounter malicious input using "\htmlData" that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the "trust" option, or set it to forbid "\htmlData" commands, forbid inputs containing the substring ""\htmlData"" and sanitize HTML output from KaTeX.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jan 17, 2025 09:25 PM

URL: CVE-2025-23207

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.3


Suggested Fix

Type: Upgrade version

Origin: GHSA-cg87-wmx4-v546

Release Date: Jan 17, 2025 09:25 PM

Fix Resolution : katex - 0.16.21

🟠CVE-2024-28246

Vulnerable Library - katex-0.13.24.tgz

Fast math typesetting for the web.

Library home page: https://registry.npmjs.org/katex/-/katex-0.13.24.tgz

Path to dependency file: /extensions/markdown-math/package.json

Dependency Hierarchy:

  • markdown-it-katex-4.0.1.tgz (Root Library)
    • katex-0.13.24.tgz (Vulnerable Library)

Vulnerability Details

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's "trust" option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate "javascript:" links in the output, even if the "trust" function tries to forbid this protocol via "trust: (context) => context.protocol !== 'javascript'". Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Mar 25, 2024 08:00 PM

URL: CVE-2024-28246

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.1


Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions