Home > Vulnerability Database > CVE-2024-28244

Mend.io Vulnerability Database

CVE-2024-28244

Good to know:

Date: March 25, 2024

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using "\def" or "\newcommand" that causes a near-infinite loop, despite setting "maxExpand" to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.

Language: JS

Severity Score

6.5

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28244

Url: https://security-tracker.debian.org/tracker/CVE-2024-28244

Url: https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2

Url: https://github.com/KaTeX/KaTeX

Url: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc

Url: https://www.mend.io/vulnerability-database/CVE-2024-28244

Severity Score

6.5

Weakness Type (CWE)

Unchecked Input for Loop Condition

CWE-606

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version katex - 0.16.10

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28244

Good to know:

Date: March 25, 2024

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?