katex@0.10.2 vulnerabilities

Fast math typesetting for the web.

Direct Vulnerabilities

Known vulnerabilities in the katex package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Unchecked Input for Loop Condition

katex is a Fast math typesetting for the web.

Affected versions of this package are vulnerable to Unchecked Input for Loop Condition when handling \edef commands. An attacker can cause a near-infinite loop, leading to memory overflow, tying up the main thread, or stack overflow by crafting malicious input using \edef that bypasses the maxExpand setting designed to prevent such issues.

Note:

This vulnerability is particularly concerning for users who render untrusted mathematical expressions, as it can be exploited to perform an availability attack, rendering the service unusable.

How to fix Unchecked Input for Loop Condition?

Upgrade katex to version 0.16.10 or higher.

>=0.10.0-beta <0.16.10