CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def
or \newcommand
that causes a near-infinite loop, despite setting maxExpand
to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another userβs KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Forbid inputs containing any of the characters βββββββββββ
βββββββα΅’β±Όββββββα΅£ββα΅€α΅₯βᡦᡧᡨᡩα΅ͺβΊβ»βΌβ½βΎβ°ΒΉΒ²Β³β΄β΅βΆβ·βΈβΉα΅α΅αΆα΅α΅α΅Κ°β±Κ²α΅Λ‘α΅βΏα΅α΅Κ³Λ’α΅α΅Κ·Λ£ΚΈαΆ»α΅α΅α΅α΅α΅ α΅‘
before passing them to KaTeX.
(There is no easy workaround for the auto-render extension.)
KaTeX supports an option named maxExpand
which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for βUnicode (sub|super)script charactersβ allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.
If you have any questions or comments about this advisory:
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%