Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
KaTeX's maxExpand bypassed by \edef
Vulnerability Description
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
未经控制的递归
Vulnerability Title
KaTeX 安全漏洞
Vulnerability Description
KaTeX是一个快速、易于使用的 JavaScript 库,用于在网络上进行 TeX 数学渲染。 KaTeX v0.16.10 版本之前存在安全漏洞,该漏洞源于渲染不受信任的数学表达式的 KaTeX 用户可能会遇到使用 edef 的恶意输入,可能导致近乎无限的循环。
CVSS Information
N/A
Vulnerability Type
N/A