CVE-2025-29049: MathLive's Lack of Escaping of HTML allows for XSS

January 21, 2025 (updated April 2, 2025)

Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.

References

github.com/advisories/GHSA-qwj6-q94f-8425
github.com/arnog/mathlive
github.com/arnog/mathlive/commit/abc26056fd5e29a99edfa96a0bbe855ea2a8b678
github.com/arnog/mathlive/security/advisories/GHSA-qwj6-q94f-8425
nvd.nist.gov/vuln/detail/CVE-2025-29049

Code Behaviors & Features

Detect and mitigate CVE-2025-29049 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →