Katex
CVE-2025-23207
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 639 npm packages depend on katex (156 direct, 494 indirect)
Ecosystem-wide dependent count for version 0.12.0.
DescriptionGitHub Advisory
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the trust option, or set it to forbid \htmlData commands, forbid inputs containing the substring "\\htmlData" and sanitize HTML output from KaTeX.
AnalysisAI
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-116. KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the trust option, or set it to forbid \htmlData commands, forbid inputs containing the substring "\\htmlData" and sanitize HTML output from KaTeX. Affected products include: Katex.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.5), this vulnerability is
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.5), this vulnerability is
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 6.1), this vulnerability is
KaTeX is a JavaScript library for TeX math rendering on the web. Rated medium severity (CVSS 5.4), this vulnerability is
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today