GHSA-3WC5-FCW2-2329
Vulnerability from github – Published: 2024-03-25 19:38 – Updated: 2024-03-25 22:32Impact
Code that uses KaTeX's trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'.
Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
- Allow-list instead of block protocols in your
trustfunction. - Manually lowercase
context.protocolviacontext.protocol.toLowerCase()before attempting to check for certain protocols. - Avoid use of or turn off the
trustoption.
Details
KaTeX did not normalize the protocol entry of the context object provided to a user-specified trust-function, so it could be a mix of lowercase and/or uppercase letters.
It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:
Allow all commands but forbid specific protocol:
trust: (context) => context.protocol !== 'file'
Currently KaTeX internally sees file: and File: URLs as different protocols, so context.protocol can be file or File, so the above check does not suffice. A simple workaround would be:
trust: (context) => context.protocol.toLowerCase() !== 'file'
Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:
Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "katex"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "0.16.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28246"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-25T19:38:37Z",
"nvd_published_at": "2024-03-25T20:15:08Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nCode that uses KaTeX\u0027s `trust` option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) =\u003e context.protocol !== \u0027javascript\u0027`.\n\n### Patches\nUpgrade to KaTeX v0.16.10 to remove this vulnerability.\n\n### Workarounds\n* Allow-list instead of block protocols in your `trust` function.\n* Manually lowercase `context.protocol` via `context.protocol.toLowerCase()` before attempting to check for certain protocols.\n* Avoid use of or turn off the `trust` option.\n\n\n### Details\nKaTeX did not normalize the `protocol` entry of the `context` object provided to a user-specified `trust`-function, so it could be a mix of lowercase and/or uppercase letters.\n\nIt is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the [KaTeX documentation](https://katex.org/docs/options.html) even provides such an example:\n\n\u003e Allow all commands but forbid specific protocol: `trust: (context) =\u003e context.protocol !== \u0027file\u0027`\n\nCurrently KaTeX internally sees `file:` and `File:` URLs as different protocols, so `context.protocol` can be `file` or `File`, so the above check does not suffice. A simple workaround would be:\n\n\u003e `trust: (context) =\u003e context.protocol.toLowerCase() !== \u0027file\u0027`\n\nMost URL parsers normalize the scheme to lowercase. For example, [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.1) says:\n\n\u003e Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow \"HTTP\" as well as \"http\") for the sake of robustness but should only produce lowercase scheme names for consistency.\n",
"id": "GHSA-3wc5-fcw2-2329",
"modified": "2024-03-25T22:32:09Z",
"published": "2024-03-25T19:38:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28246"
},
{
"type": "WEB",
"url": "https://github.com/KaTeX/KaTeX/commit/fc5af64183a3ceb9be9d1c23a275999a728593de"
},
{
"type": "PACKAGE",
"url": "https://github.com/KaTeX/KaTeX"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.