Katex
CVE-2024-28245
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 3 npm packages depend on katex (2 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.11.0.
DescriptionNVD
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
AnalysisAI
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-116. KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability. Affected products include: Katex.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.5), this vulnerability is
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.5), this vulnerability is
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 5.4), this vulnerability is
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.3), thi
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today