CVE-2024-28244

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc

Configurations

No configuration.

History

No history.

Information

Published : 2024-03-25 20:15

Updated : 2024-03-26 12:55

NVD link : CVE-2024-28244

Mitre link : CVE-2024-28244

CVE.ORG link : CVE-2024-28244

JSON object : View

Products Affected

No product.

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2024-28244", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-03-25T20:15:08.160", "references": [{"url": "https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2", "source": "security-advisories@github.com"}, {"url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\\def` or `\\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for \"Unicode (sub|super)script characters\" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10."}, {"lang": "es", "value": "KaTeX es una librer\u00eda de JavaScript para la representaci\u00f3n matem\u00e1tica de TeX en la web. Los usuarios de KaTeX que renderizan expresiones matem\u00e1ticas que no son de confianza podr\u00edan encontrar entradas maliciosas usando `\\def` o `\\newcommand` que causan un bucle casi infinito, a pesar de configurar `maxExpand` para evitar dichos bucles. KaTeX admite una opci\u00f3n llamada maxExpand que tiene como objetivo evitar que las macros infinitamente recursivas consuman toda la memoria disponible y/o provoquen un error de desbordamiento de pila. Desafortunadamente, la compatibilidad con \"caracteres Unicode (sub|super)script\" permite a un atacante eludir este l\u00edmite. Cada grupo de sub/super\u00edndice cre\u00f3 una instancia de un analizador independiente con su propio l\u00edmite de ejecuciones de macros, sin heredar el recuento actual de ejecuciones de macros de su padre. Esto se ha corregido en KaTeX v0.16.10."}], "lastModified": "2024-03-26T12:55:05.010", "sourceIdentifier": "security-advisories@github.com"}