CVE-2025-23207: KaTeX \htmlData does not validate attribute names

January 17, 2025 (updated January 21, 2025)

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

References

github.com/KaTeX/KaTeX
github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c
github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546
github.com/advisories/GHSA-cg87-wmx4-v546
nvd.nist.gov/vuln/detail/CVE-2025-23207

Detect and mitigate CVE-2025-23207 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →