CVE-2025-23207

NameCVE-2025-23207
DescriptionKaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1093446

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-katex (PTS)bullseye0.10.2+dfsg-8vulnerable
bookworm0.16.4+~cs6.1.0-1vulnerable
sid, trixie0.16.10+~cs6.1.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-katexsource(unstable)(unfixed)1093446

Notes

[bookworm] - node-katex <no-dsa> (Minor issue)
[bullseye] - node-katex <postponed> (Minor issue; can be fixed in next update)
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546
https://github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c (v0.16.21)
Search for package or bug name: Reporting problems