{"url":"http://public2.vulnerablecode.io/api/packages/69551?format=json","purl":"pkg:npm/katex@0.15.4","type":"npm","namespace":"","name":"katex","version":"0.15.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.16.10","latest_non_vulnerable_version":"0.16.10","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47334?format=json","vulnerability_id":"VCID-ayrg-3d9c-nbe2","summary":"KaTeX's maxExpand bypassed by Unicode sub/superscripts\nKaTeX users who render untrusted mathematical expressions could encounter malicious input using `\\def` or `\\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.","references":[{"reference_url":"https://github.com/KaTeX/KaTeX","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/KaTeX/KaTeX"},{"reference_url":"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/KaTeX/KaTeX/commit/085e21b5da05414efefa932570e7201a7c70e5b2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28244","reference_id":"CVE-2024-28244","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28244"},{"reference_url":"https://github.com/advisories/GHSA-cvr6-37gx-v8wc","reference_id":"GHSA-cvr6-37gx-v8wc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cvr6-37gx-v8wc"},{"reference_url":"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc","reference_id":"GHSA-cvr6-37gx-v8wc","reference_type":"","scores":[],"url":"https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69536?format=json","purl":"pkg:npm/katex@0.16.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/katex@0.16.10"}],"aliases":["CVE-2024-28244","GHSA-cvr6-37gx-v8wc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ayrg-3d9c-nbe2"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/katex@0.15.4"}