CVE-2024-28244

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.

### Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. ### Patches Upgrade to KaTeX v0.16.10 to remove this vulnerability. ### Workarounds Forbid inputs containing any of the characters `₊₋₌₍₎₀₁₂₃₄₅₆₇₈₉ₐₑₕᵢⱼₖₗₘₙₒₚᵣₛₜᵤᵥₓᵦᵧᵨᵩᵪ⁺⁻⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ᵃᵇᶜᵈᵉᵍʰⁱʲᵏˡᵐⁿᵒᵖʳˢᵗᵘʷˣʸᶻᵛᵝᵞᵟᵠᵡ` before passing them to KaTeX. (There is no easy workaround for the auto-render extension.) ### Details KaTeX supports an option named `maxExpand` which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, [support for "Unicode (sub|super)script characters"](https://github.com/KaTeX/KaTeX/commit/d8fc35e6a97f8e561c723b93ad275cf5a7f3094a) allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10. ### For more information If you have any questions or comments about this advisory: * Open an issue or security advisory in the [KaTeX repository](https://github.com/KaTeX/KaTeX/) * Email us at [katex-security@mit.edu](mailto:katex-security@mit.edu)

### Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. ### Patches Upgrade to KaTeX v0.16.10 to remove this vulnerability. ### Workarounds Forbid inputs containing any of the characters `₊₋₌₍₎₀₁₂₃₄₅₆₇₈₉ₐₑₕᵢⱼₖₗₘₙₒₚᵣₛₜᵤᵥₓᵦᵧᵨᵩᵪ⁺⁻⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ᵃᵇᶜᵈᵉᵍʰⁱʲᵏˡᵐⁿᵒᵖʳˢᵗᵘʷˣʸᶻᵛᵝᵞᵟᵠᵡ` before passing them to KaTeX. (There is no easy workaround for the auto-render extension.) ### Details KaTeX supports an option named `maxExpand` which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, [support for "Unicode (sub|super)script characters"](https://github.com/KaTeX/KaTeX/commit/d8fc35e6a97f8e561c723b93ad275cf5a7f3094a) allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10. ### For more information If you have any questions or comments about this advisory: * Open an issue or security advisory in the [KaTeX repository](https://github.com/KaTeX/KaTeX/) * Email us at [katex-security@mit.edu](mailto:katex-security@mit.edu)

KaTeX es una librería de JavaScript para la representación matemática de TeX en la web. Los usuarios de KaTeX que renderizan expresiones matemáticas que no son de confianza podrían encontrar entradas maliciosas usando `\def` o `\newcommand` que causan un bucle casi infinito, a pesar de configurar `maxExpand` para evitar dichos bucles. KaTeX admite una opción llamada maxExpand que tiene como objetivo evitar que las macros infinitamente recursivas consuman toda la memoria disponible y/o provoquen un error de desbordamiento de pila. Desafortunadamente, la compatibilidad con "caracteres Unicode (sub|super)script" permite a un atacante eludir este límite. Cada grupo de sub/superíndice creó una instancia de un analizador independiente con su propio límite de ejecuciones de macros, sin heredar el recuento actual de ejecuciones de macros de su padre. Esto se ha corregido en KaTeX v0.16.10.