CVE-2024-28244

NameCVE-2024-28244
DescriptionKaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1067805

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-katex (PTS)bullseye0.10.2+dfsg-8vulnerable
bookworm0.16.4+~cs6.1.0-1vulnerable
sid, trixie0.16.10+~cs6.1.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-katexsource(unstable)0.16.10+~cs6.1.0-11067805

Notes

[bookworm] - node-katex <no-dsa> (Minor issue)
[bullseye] - node-katex <no-dsa> (Minor issue)
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc
https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2 (v0.16.10)
Search for package or bug name: Reporting problems