CVE-2024-28244 KaTeX's maxExpand bypassed by Unicode sub/superscripts

2024-03-2519:45:50

CWE-674

GitHub_M

www.cve.org

katex

maxexpand

unicode characters

subscripts

superscripts

vulnerabilities

javascript

library

tex

math rendering

web security

cve-2024-28244

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

9.0%

JSON

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for “Unicode (sub|super)script characters” allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.

CNA Affected

[
  {
    "vendor": "KaTeX",
    "product": "KaTeX",
    "versions": [
      {
        "version": ">= 0.15.4, < 0.16.10",
        "status": "affected"
      }
    ]
  }
]