Incomplete List of Disallowed Inputs Affecting katex package, versions >=0.11.0 <0.16.10


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.06% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-KATEX-6483834
  • published26 Mar 2024
  • disclosed25 Mar 2024
  • creditTobias S. Fink

Introduced: 25 Mar 2024

CVE-2024-28246  (opens in a new tab)
CWE-184  (opens in a new tab)

How to fix?

Upgrade katex to version 0.16.10 or higher.

Overview

katex is a Fast math typesetting for the web.

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to the trust option. Specifically, the functionality that provides a function to blacklist certain URL protocols, can be bypassed by URLs in malicious inputs that utilize uppercase characters in the protocol. This can allow for the generation of javascript: links in the output, even when the trust function is designed to forbid this protocol.

Workaround

Users can apply the following steps to mitigate the vulnerability:

  1. Allow-list instead of block protocols in your trust function.

  2. Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.

  3. Avoid use of or turn off the trust option.

References

CVSS Scores

version 3.1