CVE-2024-28245

Name of the Vulnerable Software and Affected Versions KaTeX versions prior to 0.16.10

Description KaTeX is a JavaScript library for TeX math rendering on the web. Users who render untrusted mathematical expressions could encounter malicious input using includegraphics that runs arbitrary JavaScript, or generate invalid HTML. The includegraphics command did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

Recommendations Upgrade to KaTeX v0.16.10 to remove this vulnerability. As a temporary workaround, consider avoiding the use of or turning off the trust option, or set it to forbid includegraphics commands. Forbid inputs containing the substring "includegraphics". Sanitize HTML output from KaTeX.