CVE-2024-28243 (Medium) detected in katex-0.11.1.tgz

[mend-bolt-for-github]

CVE-2024-28243 - Medium Severity Vulnerability

Vulnerable Library - katex-0.11.1.tgz

Fast math typesetting for the web.

Library home page: https://registry.npmjs.org/katex/-/katex-0.11.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/katex/package.json

Dependency Hierarchy:

• ❌ katex-0.11.1.tgz (Vulnerable Library)

Found in HEAD commit: fb5f77da2e6a1abdc8035ddac751a729e7652710

Found in base branch: master

Vulnerability Details

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Publish Date: 2024-03-25

URL: CVE-2024-28243

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-64fm-8hw2-v72w

Release Date: 2024-03-25

Fix Resolution: 0.16.10

---

Step up your Open Source Security Game with Mend here