CVE-2024-28243: KaTeX's maxExpand bypassed by `\edef`
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef
that causes a near-infinite loop, despite setting maxExpand
to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user’s KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.
References
Detect and mitigate CVE-2024-28243 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →