CVE-2024-28243 – KaTeX users who render untrusted mathematical e... (How to Fix)

📋 TL;DR

KaTeX users who render untrusted mathematical expressions are vulnerable to a denial-of-service attack. Malicious input using the \edef command can cause near-infinite loops that bypass maxExpand protections, leading to memory overflow, main thread blocking, or stack overflow. This affects any web application using KaTeX to render user-provided mathematical content.

💻 Affected Systems

Products:

KaTeX

Versions: All versions before 0.16.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where KaTeX renders untrusted user input containing mathematical expressions.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial-of-service where client browsers become unresponsive, server resources are exhausted, and affected web applications become unavailable to users.

🟠

Likely Case

Availability degradation where specific users or sessions experience browser freezes, high CPU usage, and inability to interact with KaTeX-rendered content.

🟢

If Mitigated

Minimal impact if input validation filters \edef commands or if KaTeX is only used for trusted content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only the ability to submit mathematical expressions containing \edef commands to be rendered by KaTeX.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.16.10

Vendor Advisory: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w

Restart Required: No

Instructions:

1. Update KaTeX dependency to version 0.16.10 or later. 2. For npm: 'npm update katex'. 3. For yarn: 'yarn upgrade katex'. 4. For direct script inclusion: update CDN link or local file to v0.16.10+.

🔧 Temporary Workarounds

Input Sanitization

all

Filter or block mathematical expressions containing \edef commands before passing to KaTeX renderer.

Isolate Rendering

all

Run KaTeX rendering in a separate worker thread or sandboxed environment to limit impact on main application.

🧯 If You Can't Patch

Implement strict input validation to reject or sanitize mathematical expressions containing \edef commands.
Limit KaTeX usage to trusted content only and disable rendering of user-provided mathematical expressions.

🔍 How to Verify

Check if Vulnerable:

Check KaTeX version in package.json, package-lock.json, or via 'npm list katex' command. If version is below 0.16.10 and application renders untrusted math expressions, it is vulnerable.

Check Version:

npm list katex | grep katex

Verify Fix Applied:

Confirm KaTeX version is 0.16.10 or higher via version check, then test rendering of mathematical expressions containing \edef to ensure no infinite loops occur.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Browser crash reports
Unusually long processing times for mathematical expression rendering

Network Indicators:

Increased client-side resource consumption when loading pages with KaTeX

SIEM Query:

source="application_logs" AND ("KaTeX" OR "math render") AND ("high cpu" OR "timeout" OR "crash")

📊 Metadata

CVE ID: CVE-2024-28243

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

Published: March 25, 2024

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28243, you might also want to check these: