Moderate severityNVD Advisory· Published Mar 25, 2024· Updated Aug 2, 2024

KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols

CVE-2024-28246

Description

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
katexnpm	>= 0.11.0, < 0.16.10	0.16.10

Affected products

ghsa-coords
pkg:npm/katex
Range: >= 0.11.0, < 0.16.10
KaTeX/KaTeXcpe-rescue
Range: >= 0.11.0, < 0.16.10

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-3wc5-fcw2-2329ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-28246ghsaADVISORY
github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593deghsax_refsource_MISCWEB
github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000