CVE-2025-29049 – mathlive

Package

Manager: npm
Name: mathlive
Vulnerable Version: >=0 <0.104.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0006 pctl0.1882

Details

MathLive's Lack of Escaping of HTML allows for XSS ### Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the `\htmlData` command, and the lack of escaping leads to XSS. ### Details Overall in the code, other than in the `test` folder, no functions escaping HTML can be seen. ### PoC 1. Go to https://cortexjs.io/mathlive/demo/ 2. Paste either `\htmlData{><img/onerror=alert(1)"src=}{}` or `\htmlData{x=" ><img/onerror=alert(1) src>}{}` in the LaTeX textarea. ### Impact MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Metadata

Created: 2025-01-21T21:17:52Z
Modified: 2025-04-02T00:33:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qwj6-q94f-8425/GHSA-qwj6-q94f-8425.json
CWE IDs: ["CWE-116", "CWE-79"]
Alternative ID: GHSA-qwj6-q94f-8425
Finding: F008
Auto approve: 1