Home / mailings [USN-7572-1] KaTeX vulnerabilities
Posted on 18 June 2025
Ubuntu Security==========================================================================Ubuntu Security Notice USN-7572-1
June 17, 2025
node-katex vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in KaTeX.
Software Description:
- node-katex: JavaScript library for TeX math rendering
Details:
Juho Forsén discovered that KaTeX did not correctly handle certain
inputs, which could lead to an infinite loop. If a user or application
were tricked into opening a specially crafted file, an attacker could
possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS. (CVE-2024-28243)
Tobias S. Fink discovered that KaTeX did not correctly block certain
URL protocols. If a user or system were tricked into opening a specially
crafted file, an attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-28246)
It was discovered that KaTeX did not correctly handle certain inputs. If
a user or system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 22.04 LTS. (CVE-2024-28245)
Sean Ng discovered that KaTeX did not correctly handle certain inputs. If
a user or system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2025-23207)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
katex 0.16.10+~cs6.1.0-2ubuntu0.25.04.1
libjs-katex 0.16.10+~cs6.1.0-2ubuntu0.25.04.1
Ubuntu 24.10
katex 0.16.10+~cs6.1.0-2ubuntu0.24.10.1
libjs-katex 0.16.10+~cs6.1.0-2ubuntu0.24.10.1
Ubuntu 24.04 LTS
katex 0.16.10+~cs6.1.0-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libjs-katex 0.16.10+~cs6.1.0-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
katex 0.13.11+~cs6.0.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
libjs-katex 0.13.11+~cs6.0.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7572-1
CVE-2024-28243, CVE-2024-28245, CVE-2024-28246, CVE-2025-23207
Package Information:
https://launchpad.net/ubuntu/+source/node-katex/0.16.10+~cs6.1.0-2ubuntu0.25.04.1
https://launchpad.net/ubuntu/+source/node-katex/0.16.10+~cs6.1.0-2ubuntu0.24.10.1
--===============5585651474374507909==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
