Home > Vulnerability Database > CVE-2024-28243

Mend.io Vulnerability Database

CVE-2024-28243

Good to know:

Date: March 25, 2024

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Language: JS

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28243

Url: https://security-tracker.debian.org/tracker/CVE-2024-28243

Url: https://github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34

Url: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w

Url: https://www.mend.io/vulnerability-database/CVE-2024-28243

Severity Score

6.5

Weakness Type (CWE)

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version katex - 0.16.10

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28243

Good to know:

Date: March 25, 2024

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?