CVE-2023-39663 – mathjax

Package

Manager: npm
Name: mathjax
Vulnerable Version: >=0 <=2.7.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00211 pctl0.43628

Details

MathJax Regular expression Denial of Service (ReDoS) Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there is no risk.

Metadata

Created: 2023-08-29T21:30:21Z
Modified: 2024-01-31T00:02:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-v638-q856-grg8/GHSA-v638-q856-grg8.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-v638-q856-grg8
Finding: F211
Auto approve: 1