CVE-2024-28243

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-28243
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28243.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-28243
Aliases
Downstream
Related
Published
2024-03-25T20:15:07Z
Modified
2025-07-01T15:46:35.166056Z
Summary
[none]
Details

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

References

Affected packages

Debian:11 / node-katex

Package

Name
node-katex
Purl
pkg:deb/debian/node-katex?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.2+dfsg-8
0.10.2+dfsg-9
0.10.2+dfsg-10
0.13.11+~cs6.0.0-1
0.13.11+~cs6.0.0-2
0.13.11+~cs6.0.0-3
0.16.2+~cs6.1.0-1
0.16.2+~cs6.1.0-2
0.16.2+~cs6.1.0-3
0.16.2+~cs6.1.0-4
0.16.2+~cs6.1.0-5
0.16.3+~cs6.1.0-1
0.16.4+~cs6.1.0-1
0.16.10+~cs6.1.0-1
0.16.10+~cs6.1.0-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / node-katex

Package

Name
node-katex
Purl
pkg:deb/debian/node-katex?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.16.4+~cs6.1.0-1
0.16.10+~cs6.1.0-1
0.16.10+~cs6.1.0-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / node-katex

Package

Name
node-katex
Purl
pkg:deb/debian/node-katex?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.16.10+~cs6.1.0-1

Affected versions

0.*

0.16.4+~cs6.1.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/katex/katex

Affected ranges

Type
GIT
Repo
https://github.com/katex/katex
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e88b4c357f978b1bca8edfe3297f0aa309bcbe34

Affected versions

v0.*

v0.1.0
v0.1.1
v0.13.0
v0.13.1
v0.13.10
v0.13.11
v0.13.12
v0.13.13
v0.13.14
v0.13.15
v0.13.16
v0.13.17
v0.13.18
v0.13.19
v0.13.2
v0.13.20
v0.13.21
v0.13.22
v0.13.23
v0.13.24
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.13.7
v0.13.8
v0.13.9
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.15.5
v0.15.6
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.16.5
v0.16.6
v0.16.7
v0.16.8
v0.16.9
v0.2.0
v0.3.0