Moderate severityNVD Advisory· Published Mar 25, 2024· Updated Feb 5, 2026
KaTeX's maxExpand bypassed by \edef
CVE-2024-28243
Description
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
katexnpm | >= 0.12.0, < 0.16.10 | 0.16.10 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-64fm-8hw2-v72wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28243ghsaADVISORY
- github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34ghsax_refsource_MISCWEB
- github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72wghsax_refsource_CONFIRMWEB
- github.com/github/advisory-database/pull/6777ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.