logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-28246 katex

Package

Manager: npm
Name: katex
Vulnerable Version: >=0.11.0 <0.16.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00062 pctl0.19585

Details

KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols ### Impact Code that uses KaTeX's `trust` option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. ### Patches Upgrade to KaTeX v0.16.10 to remove this vulnerability. ### Workarounds * Allow-list instead of block protocols in your `trust` function. * Manually lowercase `context.protocol` via `context.protocol.toLowerCase()` before attempting to check for certain protocols. * Avoid use of or turn off the `trust` option. ### Details KaTeX did not normalize the `protocol` entry of the `context` object provided to a user-specified `trust`-function, so it could be a mix of lowercase and/or uppercase letters. It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the [KaTeX documentation](https://katex.org/docs/options.html) even provides such an example: > Allow all commands but forbid specific protocol: `trust: (context) => context.protocol !== 'file'` Currently KaTeX internally sees `file:` and `File:` URLs as different protocols, so `context.protocol` can be `file` or `File`, so the above check does not suffice. A simple workaround would be: > `trust: (context) => context.protocol.toLowerCase() !== 'file'` Most URL parsers normalize the scheme to lowercase. For example, [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#section-3.1) says: > Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

Metadata

Created: 2024-03-25T19:38:37Z
Modified: 2024-03-25T22:32:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-3wc5-fcw2-2329/GHSA-3wc5-fcw2-2329.json
CWE IDs: ["CWE-184"]
Alternative ID: GHSA-3wc5-fcw2-2329
Finding: F184
Auto approve: 1