CVE-2024-28243

6.5 MEDIUM
Published: March 25, 2024 Modified: December 05, 2025
View on NVD

Description

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34
Source: security-advisories@github.com
Patch
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
Source: security-advisories@github.com
Vendor Advisory
https://github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.5 / 10.0
EPSS (Exploit Probability)
0.2%
48th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-674

Affected Vendors

katex

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3