fix(deps): update dependency katex to v0.16.21 [security] #337
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: pnpm-lock.yaml |
renovate
bot
force-pushed
the
renovate/npm-katex-vulnerability
branch
from
11428b9 to
657ab6b
Compare
renovate
bot
changed the title
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.15.1->0.16.21GitHub Vulnerability Alerts
CVE-2024-28245
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\includegraphicsthat runs arbitrary JavaScript, or generate invalid HTML.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trustoption, or set it to forbid\includegraphicscommands."\\includegraphics".Details
\includegraphicsdid not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.For more information
If you have any questions or comments about this advisory:
CVE-2024-28246
Impact
Code that uses KaTeX's
trustoption, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generatejavascript:links in the output, even if thetrustfunction tries to forbid this protocol viatrust: (context) => context.protocol !== 'javascript'.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trustfunction.context.protocolviacontext.protocol.toLowerCase()before attempting to check for certain protocols.trustoption.Details
KaTeX did not normalize the
protocolentry of thecontextobject provided to a user-specifiedtrust-function, so it could be a mix of lowercase and/or uppercase letters.It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:
Currently KaTeX internally sees
file:andFile:URLs as different protocols, socontext.protocolcan befileorFile, so the above check does not suffice. A simple workaround would be:Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:
CVE-2024-28243
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\edefthat causes a near-infinite loop, despite settingmaxExpandto avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
Forbid inputs containing the substring
"\\edef"before passing them to KaTeX.(There is no easy workaround for the auto-render extension.)
Details
KaTeX supports an option named
maxExpandwhich prevents infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. However, what counted as an "expansion" is a single macro expanding to any number of tokens. The expand-and-define TeX command\edefcan be used to build up an exponential number of tokens using only a linear number of expansions according to this definition, e.g. by repeatedly doubling the previous definition. This has been corrected in KaTeX v0.16.10, where every expanded token in an\edefcounts as an expansion.For more information
If you have any questions or comments about this advisory:
CVE-2025-23207
Impact
KaTeX users who render untrusted mathematical expressions with
renderToStringcould encounter malicious input using\htmlDatathat runs arbitrary JavaScript, or generate invalid HTML.Patches
Upgrade to KaTeX v0.16.21 to remove this vulnerability.
Workarounds
trustoption, or set it to forbid\htmlDatacommands."\\htmlData".Details
\htmlDatadid not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.For more information
If you have any questions or comments about this advisory:
Release Notes
KaTeX/KaTeX (katex)
v0.16.21Compare Source
Bug Fixes
v0.16.20Compare Source
Bug Fixes
v0.16.19Compare Source
Bug Fixes
strictfunction type (#4009) (4228b4e)v0.16.18Compare Source
Bug Fixes
v0.16.17Compare Source
Bug Fixes
v0.16.16Compare Source
Features
v0.16.15Compare Source
Features
\mathsfitcommand (#3998) (2218901)v0.16.14Compare Source
Features
v0.16.13Compare Source
Bug Fixes
\vdotsand\rulesupport in text mode (#3997) (0e08352), closes #3990v0.16.12Compare Source
Features
v0.16.11Compare Source
Features
v0.16.10Compare Source
Bug Fixes
v0.16.9Compare Source
Features
v0.16.8Compare Source
Features
v0.16.7Compare Source
Bug Fixes
v0.16.6Compare Source
Bug Fixes
\letviamacrosoption (#3738) (bdb0be2), closes #3737 #3737v0.16.5Compare Source
Features
v0.16.4Compare Source
Bug Fixes
v0.16.3Compare Source
Bug Fixes
v0.16.2Compare Source
Bug Fixes
v0.16.1Compare Source
Bug Fixes
v0.16.0Compare Source
Bug Fixes
BREAKING CHANGES
0.15.6 (2022-05-20)
Features
0.15.5 (2022-05-20)
Bug Fixes
0.15.4 (2022-05-20)
Features
0.15.3 (2022-03-13)
Bug Fixes
0.15.2 (2022-01-12)
Bug Fixes
0.15.1 (2021-10-31)
Features
v0.15.6Compare Source
Features
v0.15.5Compare Source
Bug Fixes
v0.15.4Compare Source
Features
v0.15.3Compare Source
Bug Fixes
v0.15.2Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.