6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28244

GHSA ID

GHSA-cvr6-37gx-v8wc

EPSS Score

0.33781%

CWE

CWE-606

Published

3/25/2024

Updated

3/25/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-28244

CVE-2024-28244: KaTeX's maxExpand bypassed by Unicode sub/superscripts

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Forbid inputs containing any of the characters ₊₋₌₍₎₀₁₂₃₄₅₆₇₈₉ₐₑₕᵢⱼₖₗₘₙₒₚᵣₛₜᵤᵥₓᵦᵧᵨᵩᵪ⁺⁻⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ᵃᵇᶜᵈᵉᵍʰⁱʲᵏˡᵐⁿᵒᵖʳˢᵗᵘʷˣʸᶻᵛᵝᵞᵟᵠᵡ before passing them to KaTeX. (There is no easy workaround for the auto-render extension.)

Details

KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at katex-security@mit.edu

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28244

GHSA ID

GHSA-cvr6-37gx-v8wc

EPSS Score

0.33781%

CWE

CWE-606

Published

3/25/2024

Updated

3/25/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
katex	npm	>= 0.15.4, < 0.16.10	0.16.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how Unicode sub/superscript handling was implemented in Parser.js. The original code (pre-patch) created a new Parser instance (new Parser(str, this.settings).parse()) for each sub/superscript group, which reset the macro expansion counter for each new parser. This violated the intended maxExpand protection by allowing recursive macro expansions across multiple parser instances. The fix replaced this with this.subparse() which maintains the same parser context and expansion counter. The commit diff and CVE description both explicitly identify this code path as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t K*T*X us*rs w*o r*n**r untrust** m*t**m*ti**l *xpr*ssions *oul* *n*ount*r m*li*ious input usin* `\***` or `\n*w*omm*n*` t**t **us*s * n**r-in*init* loop, **spit* s*ttin* `m*x*xp*n*` to *voi* su** loops. T*is **n ** us** *s *n *v*il**ility

Reasoning

T** vuln*r**ility st*ms *rom *ow Uni*o** su*/sup*rs*ript **n*lin* w*s impl*m*nt** in P*rs*r.js. T** ori*in*l *o** (pr*-p*t**) *r**t** * n*w P*rs*r inst*n** (`n*w P*rs*r(str, t*is.s*ttin*s).p*rs*()`) *or **** su*/sup*rs*ript *roup, w*i** r*s*t t** m**

6.5

Basic Information

Concerned about an active attack path?

CVE-2024-28244: KaTeX's maxExpand bypassed by Unicode sub/superscripts

Impact

Patches

Workarounds

Details

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI