CVE-2024-28245

MEDIUM

KaTeX <0.16.10 - RCE

Title source: llm

Description

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

References (2)

[Third Party Advisory] https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h

[Patch] https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770

View Patch ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0005

EPSS Percentile 14.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-116

Status published

Products (2)

katex/katex 0.11.0 - 0.16.10

npm/katex 0.11.0 - 0.16.10npm

Published Mar 25, 2024

Tracked Since Feb 18, 2026