KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-03-25T19:45:50.907Z
Updated: 2024-08-02T00:48:49.553Z
Reserved: 2024-03-07T14:33:30.036Z
Link: CVE-2024-28244
Vulnrichment
Updated: 2024-05-23T19:01:19.560Z
NVD
Status : Awaiting Analysis
Published: 2024-03-25T20:15:08.160
Modified: 2024-11-21T09:06:05.027
Link: CVE-2024-28244
Redhat
No data.