CVE-2024-28246

MEDIUM EPSS 32.4%
Published Mar 25, 20242y ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Mar 25, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

CVSS Details

Base Score
5.4
Exploitability
2.8
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
32.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-184
CWE-697

Affected Products 1

VendorProductVersionRange
katexkatex*≥0.11.0  –  <0.16.10

References 2

  • github.com https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de
    Patch
  • github.com https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329
    MitigationThird Party Advisory

Remediation

  • github.com https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de
    Patch