Version Details and Security Vulnerabilities

📦

micromark-extension-math

0.1.1

Comparision Betweeen 0.1.1 and 0.1.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

17.2 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

micromark-extension-math

0.1.1

Comparision Betweeen 0.1.1 and 0.1.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

17.2 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.1 of the package micromark-extension-math.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.1 of the package

Summary:

KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols

Details:

Impact

Code that uses KaTeX's trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Allow-list instead of block protocols in your trust function.
Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.
Avoid use of or turn off the trust option.

Details

KaTeX did not normalize the protocol entry of the context object provided to a user-specified trust-function, so it could be a mix of lowercase and/or uppercase letters.

It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:

Allow all commands but forbid specific protocol: trust: (context) => context.protocol !== 'file'

Currently KaTeX internally sees file: and File: URLs as different protocols, so context.protocol can be file or File, so the above check does not suffice. A simple workaround would be:

trust: (context) => context.protocol.toLowerCase() !== 'file'

Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:

Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

Details about katex@0.12.0

Summary:

KaTeX's maxExpand bypassed by \edef

Details:

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Forbid inputs containing the substring "\\edef" before passing them to KaTeX. (There is no easy workaround for the auto-render extension.)

Details

KaTeX supports an option named maxExpand which prevents infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. However, what counted as an "expansion" is a single macro expanding to any number of tokens. The expand-and-define TeX command \edef can be used to build up an exponential number of tokens using only a linear number of expansions according to this definition, e.g. by repeatedly doubling the previous definition. This has been corrected in KaTeX v0.16.10, where every expanded token in an \edef counts as an expansion.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at katex-security@mit.edu

Details about katex@0.12.0

Summary:

KaTeX's \includegraphics does not escape filename

Details:

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Avoid use of or turn off the trust option, or set it to forbid \includegraphics commands.
Forbid inputs containing the substring "\\includegraphics".
Sanitize HTML output from KaTeX.

Details

\includegraphics did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at katex-security@mit.edu

Details about katex@0.12.0

Summary:

KaTeX \htmlData does not validate attribute names

Details:

Impact

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.21 to remove this vulnerability.

Workarounds

Avoid use of or turn off the trust option, or set it to forbid \htmlData commands.
Forbid inputs containing the substring "\\htmlData".
Sanitize HTML output from KaTeX.

Details

\htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at katex-security@mit.edu

Details about katex@0.12.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.1 of the package micromark-extension-math.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.1 of the package

Summary:

KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols

Details:

Impact

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Allow-list instead of block protocols in your trust function.
Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.
Avoid use of or turn off the trust option.

Details

KaTeX did not normalize the protocol entry of the context object provided to a user-specified trust-function, so it could be a mix of lowercase and/or uppercase letters.

Allow all commands but forbid specific protocol: trust: (context) => context.protocol !== 'file'

Currently KaTeX internally sees file: and File: URLs as different protocols, so context.protocol can be file or File, so the above check does not suffice. A simple workaround would be:

trust: (context) => context.protocol.toLowerCase() !== 'file'

Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:

Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

Details about katex@0.12.0

Summary:

KaTeX's maxExpand bypassed by \edef

Details:

Impact

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Forbid inputs containing the substring "\\edef" before passing them to KaTeX. (There is no easy workaround for the auto-render extension.)

Details

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at katex-security@mit.edu

Details about katex@0.12.0

Summary:

KaTeX's \includegraphics does not escape filename

Details:

Impact

KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Workarounds

Avoid use of or turn off the trust option, or set it to forbid \includegraphics commands.
Forbid inputs containing the substring "\\includegraphics".
Sanitize HTML output from KaTeX.

Details

\includegraphics did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at katex-security@mit.edu

Details about katex@0.12.0

Summary:

KaTeX \htmlData does not validate attribute names

Details:

Impact

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Patches

Upgrade to KaTeX v0.16.21 to remove this vulnerability.

Workarounds

Avoid use of or turn off the trust option, or set it to forbid \htmlData commands.
Forbid inputs containing the substring "\\htmlData".
Sanitize HTML output from KaTeX.

Details

\htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

For more information

If you have any questions or comments about this advisory:

Open an issue or security advisory in the KaTeX repository
Email us at katex-security@mit.edu

Details about katex@0.12.0

Version Details and Security Vulnerabilities

micromark-extension-math

Comparision Betweeen 0.1.1 and 0.1.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

micromark-extension-math

Comparision Betweeen 0.1.1 and 0.1.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

katex@0.12.0 GHSA-3wc5-fcw2-2329 5.5

Impact

Patches

Workarounds

Details

katex@0.12.0 GHSA-64fm-8hw2-v72w 6.5

Impact

Patches

Workarounds

Details

For more information

katex@0.12.0 GHSA-f98w-7cxr-ff2h 6.3

Impact

Patches

Workarounds

Details

For more information

katex@0.12.0 GHSA-cg87-wmx4-v546 6.3

Impact

Patches

Workarounds

Details

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

katex@0.12.0 GHSA-3wc5-fcw2-2329 5.5

Impact

Patches

Workarounds

Details

katex@0.12.0 GHSA-64fm-8hw2-v72w 6.5

Impact

Patches

Workarounds

Details

For more information

katex@0.12.0 GHSA-f98w-7cxr-ff2h 6.3

Impact

Patches

Workarounds

Details

For more information

katex@0.12.0 GHSA-cg87-wmx4-v546 6.3

Impact

Patches

Workarounds

Details

For more information