VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 23, 2018· Updated Sep 16, 2024

CVE-2018-1999024

CVE-2018-1999024

Description

MathJax versions prior to 2.7.4 contain a cross-site scripting vulnerability in the \unicode{} macro, allowing untrusted JavaScript execution in a victim's browser.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MathJax versions prior to 2.7.4 contain a cross-site scripting vulnerability in the \unicode{} macro, allowing untrusted JavaScript execution in a victim's browser.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the \unicode{} macro in MathJax versions prior to 2.7.4. The issue arises because the macro's argument is parsed without proper validation, allowing an attacker to inject arbitrary HTML and JavaScript. This affects any webpage that processes untrusted content using MathJax, including user-generated LaTeX or MathML input. The vulnerability was fixed in version 2.7.4 [1][2].

Exploitation

An attacker can exploit this flaw by crafting a malicious input that includes a specially crafted \unicode{} macro. The victim must view a page where untrusted content is processed by MathJax, such as a forum or comment system that renders user-supplied LaTeX. No authentication is required on the attacker's part, as the payload is embedded in the content. The attack is triggered when the victim's browser renders the page, executing the injected script [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement of the page, redirection to malicious sites, or other actions that the victim's browser can perform. The impact is limited to the victim's browser and the permissions of the web application domain [1][2].

Mitigation

The vulnerability is fixed in MathJax version 2.7.4, released on July 23, 2018. Users should upgrade to version 2.7.4 or later. As a workaround, sanitize or disable the \unicode{} macro via a custom configuration if upgrading is not immediately possible. No other workaround is documented in the provided references [2][4].

References
  1. GitHub - mathjax/MathJax: Beautiful and accessible math in all browsers
  2. NVD - CVE-2018-1999024
  3. Fix parsing and output for \class{} and \unicode{} · mathjax/MathJax@a55da39
  4. CVE-2018-1999024 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mathjaxnpm
< 2.7.42.7.4

Affected products

1

Patches

1
a55da396c18c

Fix parsing and output for \class{} and \unicode{}

https://github.com/mathjax/MathJaxDavide P. CervoneApr 2, 2018via ghsa
commit
2 files changed · +9 6
  • unpacked/extensions/TeX/unicode.js+6 3 modified
    @@ -89,8 +89,11 @@ MathJax.Hub.Register.StartupHook("TeX Jax Ready",function () {
           {HD = HD.replace(/ /g,"").split(/,/); font = this.GetBrackets(name)}
             else {font = HD; HD = null}
       }
-      var n = this.trimSpaces(this.GetArgument(name)),
-          N = parseInt(n.match(/^x/) ? "0"+n : n);
+      var n = this.trimSpaces(this.GetArgument(name)).replace(/^0x/,"x");
+      if (!n.match(/^(x[0-9A-Fa-f]+|[0-9]+)$/)) {
+        TEX.Error(["BadUnicode","Argument to \\unicode must be a number"]);
+      }
+      var N = parseInt(n.match(/^x/) ? "0"+n : n);
       if (!UNICODE[N]) {UNICODE[N] = [800,200,font,N]}
       else if (!font) {font = UNICODE[N][2]}
       if (HD) {
@@ -101,7 +104,7 @@ MathJax.Hub.Register.StartupHook("TeX Jax Ready",function () {
       if (font) {
         UNICODE[N][2] = def.fontfamily = font.replace(/"/g,"'");
         if (variant) {
-          if (variant.match(/bold/))   {def.fontweight = "bold"}
+          if (variant.match(/bold/)) {def.fontweight = "bold"}
           if (variant.match(/italic|-mathit/)) {def.fontstyle = "italic"}
         }
       } else if (variant) {def.mathvariant = variant}
  • unpacked/extensions/toMathML.js+3 3 modified
    @@ -86,7 +86,7 @@ MathJax.Hub.Register.LoadHook("[MathJax]/jax/element/mml/jax.js",function () {
       if (this.mathvariant && this.toMathMLvariants[this.mathvariant])
         {CLASS.push("MJX"+this.mathvariant)}
       if (this.variantForm) {CLASS.push("MJX-variant")}
-      if (CLASS.length) {attr.unshift('class="'+CLASS.join(" ")+'"')}
+      if (CLASS.length) {attr.unshift('class="'+this.toMathMLquote(CLASS.join(" "))+'"')}
     },
     toMathMLattribute: function (value) {
       if (typeof(value) === "string" &&
@@ -165,7 +165,7 @@ MathJax.Hub.Register.LoadHook("[MathJax]/jax/element/mml/jax.js",function () {
         var xmlEscapedTex = jax.originalText.replace(/[&<>]/g, function(item) {
             return { '>': '&gt;', '<': '&lt;','&': '&amp;' }[item]
         });
-        data.push(space+'    <annotation encoding="'+annotation+'">'+xmlEscapedTex+"</annotation>");
+        data.push(space+'    <annotation encoding="'+this.toMathMLquote(annotation)+'">'+xmlEscapedTex+"</annotation>");
         data.push(space+"  </semantics>");
       }
       return space+"<"+tag+attr+">\n"+data.join("\n")+"\n"+space+"</"+tag+">";
@@ -221,7 +221,7 @@ MathJax.Hub.Register.LoadHook("[MathJax]/jax/element/mml/jax.js",function () {
   });
   
   MML.entity.Augment({
-    toMathML: function (space) {return (space||"") + "&"+this.data[0]+";<!-- "+this.toString()+" -->"}
+    toMathML: function (space) {return (space||"") + "&"+this.toMathMLquote(this.data[0])+";<!-- "+this.toString()+" -->"}
   });
   
   MML.xml.Augment({

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.