Search for packages
| purl | pkg:npm/katex@0.12.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1uvx-5hp6-5bgk
Aliases: CVE-2024-28245 GHSA-f98w-7cxr-ff2h |
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability. |
Affected by 1 other vulnerability. |
|
VCID-j9km-s26z-ekc7
Aliases: CVE-2024-28246 GHSA-3wc5-fcw2-2329 |
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability. |
Affected by 1 other vulnerability. |
|
VCID-npmc-q6zw-j7de
Aliases: CVE-2025-23207 GHSA-cg87-wmx4-v546 |
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX. |
Affected by 0 other vulnerabilities. |
|
VCID-yr9t-mmfr-rub1
Aliases: CVE-2024-28243 GHSA-64fm-8hw2-v72w |
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T19:50:20.388521+00:00 | GitLab Importer | Affected by | VCID-npmc-q6zw-j7de | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2025-23207.yml | 38.6.0 |
| 2026-06-12T19:24:02.675729+00:00 | GitLab Importer | Affected by | VCID-j9km-s26z-ekc7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2024-28246.yml | 38.6.0 |
| 2026-06-12T19:23:57.943903+00:00 | GitLab Importer | Affected by | VCID-1uvx-5hp6-5bgk | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2024-28245.yml | 38.6.0 |
| 2026-06-12T15:48:22.747401+00:00 | GitLab Importer | Affected by | VCID-yr9t-mmfr-rub1 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2024-28243.yml | 38.6.0 |
| 2026-06-11T20:34:17.462341+00:00 | GHSA Importer | Affected by | VCID-yr9t-mmfr-rub1 | https://github.com/advisories/GHSA-64fm-8hw2-v72w | 38.6.0 |