Katex
CVE-2024-28246
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 3 npm packages depend on katex (2 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.11.0.
DescriptionNVD
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
AnalysisAI
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-184. KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'. Upgrade to KaTeX v0.16.10 to remove this vulnerability. Affected products include: Katex.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.5), this vulnerability is
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.5), this vulnerability is
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.1), this vulnerability is
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.3), thi
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today