CVE-2024-28246
Publication date 25 March 2024
Last updated 18 June 2025
Ubuntu priority
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| node-katex | 25.04 plucky |
Not affected
|
| 24.10 oracular |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 0.13.11+~cs6.0.0-2ubuntu0.1~esm1
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-7572-1
- KaTeX vulnerabilities
- 17 June 2025