CVE-2024-28243
Denial of Service vulnerability in katex (npm)
What is CVE-2024-28243 About?
This vulnerability in KaTeX allows for denial of service (DoS) through a near-infinite loop when rendering untrusted mathematical expressions using `\edef`. Despite `maxExpand` limits, an attacker can craft input to cause memory or stack overflows, making the client application unresponsive. Exploitation is relatively easy for an attacker who can submit malicious KaTeX input.
Affected Software
Technical Details
The vulnerability arises from an incomplete fix in KaTeX in how it handles the maxExpand option and the \edef TeX command. While maxExpand is designed to prevent infinite recursion, previous versions incorrectly defined an 'expansion' as a single macro expanding to any number of tokens. The \edef command abuses this definition by allowing an attacker to build an exponentially large number of tokens with only a linear number of expansions according to the old logic. By repeatedly doubling a definition, \edef can rapidly exhaust memory or stack space, causing memory overflow, tying up the main thread, or triggering a stack overflow in the client application rendering the KaTeX, leading to a denial of service.
What is the Impact of CVE-2024-28243?
Successful exploitation may allow attackers to cause a denial of service for users rendering untrusted mathematical expressions, leading to application unresponsiveness, memory overflow, or stack overflow, effectively preventing normal use of the affected site.
What is the Exploitability of CVE-2024-28243?
Exploitation is of low to medium complexity, as it primarily involves crafting specific malicious KaTeX input containing nested \edef commands. The main prerequisite is an application or system that renders user-supplied or untrusted mathematical expressions using KaTeX versions prior to v0.16.10, and where maxExpand is configured without correctly accounting for \edef behavior. No authentication is typically required if the application allows unauthenticated users to submit or view KaTeX expressions. No special privileges are needed for the attacker. This can be a remote vulnerability if the KaTeX rendering occurs in a client-side web application processing user input from a remote source, or if a server-side rendering process is exposed to untrusted input. The likelihood of exploitation increases if an application widely uses KaTeX to display user-generated content without prior sanitization or input validation for \edef.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-28243?
Available Upgrade Options
- katex
- >0.10.0-beta, <0.16.10 → Upgrade to 0.16.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
- https://osv.dev/vulnerability/GHSA-64fm-8hw2-v72w
- https://nvd.nist.gov/vuln/detail/CVE-2024-28243
- https://github.com/KaTeX/KaTeX
- https://github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34
- https://github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34
- https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
What are Similar Vulnerabilities to CVE-2024-28243?
Similar Vulnerabilities: CVE-2023-45814 , CVE-2022-24817 , CVE-2021-39145 , CVE-2020-14979 , CVE-2019-14867
