Source: node-katex Version: 0.16.4+~cs6.1.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for node-katex. CVE-2024-28243[0]: | KaTeX is a JavaScript library for TeX math rendering on the web. | KaTeX users who render untrusted mathematical expressions could | encounter malicious input using `\edef` that causes a near-infinite | loop, despite setting `maxExpand` to avoid such loops. This can be | used as an availability attack, where e.g. a client rendering | another user's KaTeX input will be unable to use the site due to | memory overflow, tying up the main thread, or stack overflow. | Upgrade to KaTeX v0.16.10 to remove this vulnerability. CVE-2024-28244[1]: | KaTeX is a JavaScript library for TeX math rendering on the web. | KaTeX users who render untrusted mathematical expressions could | encounter malicious input using `\def` or `\newcommand` that causes | a near-infinite loop, despite setting `maxExpand` to avoid such | loops. KaTeX supports an option named maxExpand which aims to | prevent infinitely recursive macros from consuming all available | memory and/or triggering a stack overflow error. Unfortunately, | support for "Unicode (sub|super)script characters" allows an | attacker to bypass this limit. Each sub/superscript group | instantiated a separate Parser with its own limit on macro | executions, without inheriting the current count of macro executions | from its parent. This has been corrected in KaTeX v0.16.10. CVE-2024-28245[2]: | KaTeX is a JavaScript library for TeX math rendering on the web. | KaTeX users who render untrusted mathematical expressions could | encounter malicious input using `\includegraphics` that runs | arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX | v0.16.10 to remove this vulnerability. CVE-2024-28246[3]: | KaTeX is a JavaScript library for TeX math rendering on the web. | Code that uses KaTeX's `trust` option, specifically that provides a | function to blacklist certain URL protocols, can be fooled by URLs | in malicious inputs that use uppercase characters in the protocol. | In particular, this can allow for malicious input to generate | `javascript:` links in the output, even if the `trust` function | tries to forbid this protocol via `trust: (context) => | context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to | remove this vulnerability. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28243 https://www.cve.org/CVERecord?id=CVE-2024-28243 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w [1] https://security-tracker.debian.org/tracker/CVE-2024-28244 https://www.cve.org/CVERecord?id=CVE-2024-28244 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc [2] https://security-tracker.debian.org/tracker/CVE-2024-28245 https://www.cve.org/CVERecord?id=CVE-2024-28245 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h [3] https://security-tracker.debian.org/tracker/CVE-2024-28246 https://www.cve.org/CVERecord?id=CVE-2024-28246 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329 Regards, Salvatore