Homepage
About Snyk

Incomplete List of Disallowed Inputs Affecting katex package, versions >=0.11.0 <0.16.10

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-KATEX-6483834
  • published 26 Mar 2024
  • disclosed 25 Mar 2024
  • credit Tobias S. Fink
Report a new vulnerability Found a mistake?

Introduced: 25 Mar 2024

CVE-2024-28246 Open this link in a new tab
CWE-184 Open this link in a new tab

How to fix?

Upgrade katex to version 0.16.10 or higher.

Overview

katex is a Fast math typesetting for the web.

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to the trust option. Specifically, the functionality that provides a function to blacklist certain URL protocols, can be bypassed by URLs in malicious inputs that utilize uppercase characters in the protocol. This can allow for the generation of javascript: links in the output, even when the trust function is designed to forbid this protocol.

Workaround

Users can apply the following steps to mitigate the vulnerability:

  1. Allow-list instead of block protocols in your trust function.

  2. Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.

  3. Avoid use of or turn off the trust option.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low