CVE-2024-28243 (Medium) detected in katex-0.11.1.tgz

[mend-bolt-for-github[bot]]

CVE-2024-28243 - Medium Severity Vulnerability

Vulnerable Library - katex-0.11.1.tgz

Fast math typesetting for the web.

Library home page: https://registry.npmjs.org/katex/-/katex-0.11.1.tgz

Path to dependency file: /pro-table/package.json

Path to vulnerable library: /pro-table/node_modules/katex/package.json

Dependency Hierarchy: - dumi-1.0.20.tgz (Root Library) - preset-dumi-1.0.20.tgz - :x: **katex-0.11.1.tgz** (Vulnerable Library)

Found in HEAD commit: 50a539d66e7a2f790cf8a8d8d1471993698c9adc

Found in base branch: master

Vulnerability Details

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Publish Date: 2024-03-25

URL: CVE-2024-28243

CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w

Release Date: 2024-03-25

Fix Resolution: katex - 0.16.10

---

Step up your Open Source Security Game with Mend here