CVE-2024-28244 (GCVE-0-2024-28244)

Vulnerability from cvelistv5 – Published: 2024-03-25 19:45 – Updated: 2024-08-02 00:48
VLAI?
Title
KaTeX's maxExpand bypassed by Unicode sub/superscripts
Summary
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
KaTeX KaTeX Affected: >= 0.15.4, < 0.16.10
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28244",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-27T19:31:17.212689Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T18:04:04.283Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.553Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc"
          },
          {
            "name": "https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "KaTeX",
          "vendor": "KaTeX",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.15.4, \u003c 0.16.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\\def` or `\\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for \"Unicode (sub|super)script characters\" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-25T19:45:50.907Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc"
        },
        {
          "name": "https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2"
        }
      ],
      "source": {
        "advisory": "GHSA-cvr6-37gx-v8wc",
        "discovery": "UNKNOWN"
      },
      "title": "KaTeX\u0027s maxExpand bypassed by Unicode sub/superscripts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-28244",
    "datePublished": "2024-03-25T19:45:50.907Z",
    "dateReserved": "2024-03-07T14:33:30.036Z",
    "dateUpdated": "2024-08-02T00:48:49.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\\\\def` or `\\\\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for \\\"Unicode (sub|super)script characters\\\" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.\"}, {\"lang\": \"es\", \"value\": \"KaTeX es una librer\\u00eda de JavaScript para la representaci\\u00f3n matem\\u00e1tica de TeX en la web. Los usuarios de KaTeX que renderizan expresiones matem\\u00e1ticas que no son de confianza podr\\u00edan encontrar entradas maliciosas usando `\\\\def` o `\\\\newcommand` que causan un bucle casi infinito, a pesar de configurar `maxExpand` para evitar dichos bucles. KaTeX admite una opci\\u00f3n llamada maxExpand que tiene como objetivo evitar que las macros infinitamente recursivas consuman toda la memoria disponible y/o provoquen un error de desbordamiento de pila. Desafortunadamente, la compatibilidad con \\\"caracteres Unicode (sub|super)script\\\" permite a un atacante eludir este l\\u00edmite. Cada grupo de sub/super\\u00edndice cre\\u00f3 una instancia de un analizador independiente con su propio l\\u00edmite de ejecuciones de macros, sin heredar el recuento actual de ejecuciones de macros de su padre. Esto se ha corregido en KaTeX v0.16.10.\"}]",
      "id": "CVE-2024-28244",
      "lastModified": "2024-11-21T09:06:05.027",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2024-03-25T20:15:08.160",
      "references": "[{\"url\": \"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-674\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-28244\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-25T20:15:08.160\",\"lastModified\":\"2025-09-02T13:34:14.423\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\\\\def` or `\\\\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for \\\"Unicode (sub|super)script characters\\\" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.\"},{\"lang\":\"es\",\"value\":\"KaTeX es una librer\u00eda de JavaScript para la representaci\u00f3n matem\u00e1tica de TeX en la web. Los usuarios de KaTeX que renderizan expresiones matem\u00e1ticas que no son de confianza podr\u00edan encontrar entradas maliciosas usando `\\\\def` o `\\\\newcommand` que causan un bucle casi infinito, a pesar de configurar `maxExpand` para evitar dichos bucles. KaTeX admite una opci\u00f3n llamada maxExpand que tiene como objetivo evitar que las macros infinitamente recursivas consuman toda la memoria disponible y/o provoquen un error de desbordamiento de pila. Desafortunadamente, la compatibilidad con \\\"caracteres Unicode (sub|super)script\\\" permite a un atacante eludir este l\u00edmite. Cada grupo de sub/super\u00edndice cre\u00f3 una instancia de un analizador independiente con su propio l\u00edmite de ejecuciones de macros, sin heredar el recuento actual de ejecuciones de macros de su padre. Esto se ha corregido en KaTeX v0.16.10.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:katex:katex:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.15.4\",\"versionEndExcluding\":\"0.16.10\",\"matchCriteriaId\":\"729BBD95-67F2-4FD3-A741-3A91D5C1161D\"}]}]}],\"references\":[{\"url\":\"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"KaTeX\u0027s maxExpand bypassed by Unicode sub/superscripts\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-674\", \"lang\": \"en\", \"description\": \"CWE-674: Uncontrolled Recursion\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc\"}, {\"name\": \"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2\"}], \"affected\": [{\"vendor\": \"KaTeX\", \"product\": \"KaTeX\", \"versions\": [{\"version\": \"\u003e= 0.15.4, \u003c 0.16.10\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-25T19:45:50.907Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\\\\def` or `\\\\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for \\\"Unicode (sub|super)script characters\\\" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.\"}], \"source\": {\"advisory\": \"GHSA-cvr6-37gx-v8wc\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28244\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-27T19:31:17.212689Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:19.560Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-28244\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-03-07T14:33:30.036Z\", \"datePublished\": \"2024-03-25T19:45:50.907Z\", \"dateUpdated\": \"2024-06-04T18:04:04.283Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.