Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mOTh3LTdjeHItZmYyaM4AA6Ra

KaTeX's `\includegraphics` does not escape filename

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Details

\includegraphics did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-f98w-7cxr-ff2h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mOTh3LTdjeHItZmYyaM4AA6Ra
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago


CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-f98w-7cxr-ff2h, CVE-2024-28245
References: Repository: https://github.com/KaTeX/KaTeX
Blast Radius: 27.5

Affected Packages

npm:katex
Dependent packages: 1,186
Dependent repositories: 23,138
Downloads: 4,385,879 last month
Affected Version Ranges: >= 0.11.0, < 0.16.10
Fixed in: 0.16.10
All affected versions: 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7, 0.13.8, 0.13.9, 0.13.10, 0.13.11, 0.13.12, 0.13.13, 0.13.14, 0.13.16, 0.13.17, 0.13.18, 0.13.19, 0.13.20, 0.13.21, 0.13.22, 0.13.23, 0.13.24, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.16.7, 0.16.8, 0.16.9
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.4.0, 0.4.3, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.16.10