7085

**Name of the Vulnerable Software and Affected Versions** KaTeX versions prior to 0.16.10 **Description** KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option can be fooled by URLs in malicious inputs that use uppercase characters in the protocol, allowing for malicious input to generate `javascript:` links in the output. This issue arises because KaTeX did not normalize the `protocol` entry of the `context` object provided to a user-specified `trust` function, which could be a mix of lowercase and/or uppercase letters. **Recommendations** Upgrade to KaTeX v0.16.10 to remove this vulnerability. As a temporary workaround, consider using an allow-list instead of block-listing protocols in your `trust` function. Manually lowercase `context.protocol` via `context.protocol.toLowerCase()` before attempting to check for certain protocols. Avoid use of or turn off the `trust` option.

**Name of the Vulnerable Software and Affected Versions** fast-xml-parser versions prior to 4.2.4 **Description** The issue allows special characters in entity names, which are not escaped or sanitized. This can be abused for denial of service (DoS) attacks by crafting an entity name that results in an intentionally bad performing regex, causing the parser to stall for an indefinite amount of time. **Recommendations** For versions prior to 4.2.4, upgrade to version 4.2.4 or later. For users unable to upgrade, avoid using DOCTYPE parsing by setting the `processEntities: false` option.