VulnerableCode Package Details - pkg:npm/katex@0.16.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-1uvx-5hp6-5bgk Aliases: CVE-2024-28245 GHSA-f98w-7cxr-ff2h	KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.	0.16.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-j9km-s26z-ekc7 Aliases: CVE-2024-28246 GHSA-3wc5-fcw2-2329	KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.	0.16.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-jft4-ny5y-auca Aliases: CVE-2024-28244 GHSA-cvr6-37gx-v8wc	KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub\|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.	0.16.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-npmc-q6zw-j7de Aliases: CVE-2025-23207 GHSA-cg87-wmx4-v546	KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX.	0.16.21 Affected by 0 other vulnerabilities.
VCID-yr9t-mmfr-rub1 Aliases: CVE-2024-28243 GHSA-64fm-8hw2-v72w	KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.	0.16.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1uvx-5hp6-5bgk
Aliases:
CVE-2024-28245
GHSA-f98w-7cxr-ff2h

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

0.16.10
Affected by 1 other vulnerability.

VCID-j9km-s26z-ekc7
Aliases:
CVE-2024-28246
GHSA-3wc5-fcw2-2329

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

0.16.10
Affected by 1 other vulnerability.

VCID-jft4-ny5y-auca
Aliases:
CVE-2024-28244
GHSA-cvr6-37gx-v8wc

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.

0.16.10
Affected by 1 other vulnerability.

VCID-npmc-q6zw-j7de
Aliases:
CVE-2025-23207
GHSA-cg87-wmx4-v546

KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX.

0.16.21
Affected by 0 other vulnerabilities.

VCID-yr9t-mmfr-rub1
Aliases:
CVE-2024-28243
GHSA-64fm-8hw2-v72w

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.

0.16.10
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:50:20.533632+00:00	GitLab Importer	Affected by	VCID-npmc-q6zw-j7de	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2025-23207.yml	38.6.0
2026-06-12T19:24:02.815501+00:00	GitLab Importer	Affected by	VCID-j9km-s26z-ekc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2024-28246.yml	38.6.0
2026-06-12T19:24:00.002008+00:00	GitLab Importer	Affected by	VCID-jft4-ny5y-auca	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2024-28244.yml	38.6.0
2026-06-12T19:23:59.454641+00:00	GitLab Importer	Affected by	VCID-yr9t-mmfr-rub1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2024-28243.yml	38.6.0
2026-06-12T19:23:58.126126+00:00	GitLab Importer	Affected by	VCID-1uvx-5hp6-5bgk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/katex/CVE-2024-28245.yml	38.6.0