Lucene search

GitHub Advisory DatabaseGHSA-F98W-7CXR-FF2H

HistoryMar 25, 2024 - 7:38 p.m.

KaTeX's `\includegraphics` does not escape filename

2024-03-2519:38:34

CWE-116

GitHub Advisory Database

github.com

katex

vulnerability

html

javascript

upgrade

security advisory

filename

patch

workaround

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Avoid use of or turn off the trust option, or set it to forbid \includegraphics commands.
Forbid inputs containing the substring "\\includegraphics".
Sanitize HTML output from KaTeX.

Details

\includegraphics did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at [email protected]

Affected configurations

Vulners

Node

katexkatexRange<0.16.10

CPENameOperatorVersion
katexlt0.16.10

CPE	Name	Operator	Version
	katex	lt	0.16.10

References

github.com/advisories/GHSA-f98w-7cxr-ff2h

github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770

github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h

nvd.nist.gov/vuln/detail/CVE-2024-28245