Improper Encoding or Escaping of Output Affecting node-katex package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN12-NODEKATEX-8647920
- published19 Jan 2025
- disclosed17 Jan 2025
Introduced: 17 Jan 2025
NewCVE-2025-23207 (opens in a new tab)How to fix?
There is no fixed version for Debian:12 node-katex.
NVD Description
Note: Versions mentioned in the description apply only to the upstream node-katex package and not the node-katex package as distributed by Debian.
See How to fix? for Debian:12 relevant fixed versions and status.
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the trust option, or set it to forbid \htmlData commands, forbid inputs containing the substring "\\htmlData" and sanitize HTML output from KaTeX.