CVE-2024-28244: KaTeX's maxExpand bypassed by Unicode sub/superscripts

March 25, 2024

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user’s KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.

References

github.com/KaTeX/KaTeX
github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2
github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc
github.com/advisories/GHSA-cvr6-37gx-v8wc
nvd.nist.gov/vuln/detail/CVE-2024-28244

Code Behaviors & Features

Detect and mitigate CVE-2024-28244 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →