Lucene search

GoogleOSV:GHSA-F98W-7CXR-FF2H

HistoryMar 25, 2024 - 7:38 p.m.

KaTeX's `\includegraphics` does not escape filename

2024-03-2519:38:34

Google

osv.dev

katex

vulnerability

filename handling

html

javascript

patch

upgrade

workaround

security advisory

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Avoid use of or turn off the trust option, or set it to forbid \includegraphics commands.
Forbid inputs containing the substring "\\includegraphics".
Sanitize HTML output from KaTeX.

Details

\includegraphics did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at [email protected]

CPENameOperatorVersion
katexlt0.16.10
katexge0.11.0

CPE	Name	Operator	Version
	katex	lt	0.16.10
	katex	ge	0.11.0

References

github.com/KaTeX/KaTeX

github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770

github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h

nvd.nist.gov/vuln/detail/CVE-2024-28245