1. Ubuntu Security Notices
  2. USN-7572-1

USN-7572-1: KaTeX vulnerabilities

Publication date

17 June 2025

Overview

Several security issues were fixed in KaTeX.

Releases

Packages

  • node-katex - JavaScript library for TeX math rendering

Details

Juho Forsén discovered that KaTeX did not correctly handle certain
inputs, which could lead to an infinite loop. If a user or application
were tricked into opening a specially crafted file, an attacker could
possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS. (CVE-2024-28243)

Tobias S. Fink discovered that KaTeX did not correctly block certain
URL protocols. If a user or system were tricked into opening a specially
crafted file, an attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-28246)

It was discovered that KaTeX did not correctly handle certain inputs. If
a user or system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 22.04...

Juho Forsén discovered that KaTeX did not correctly handle certain
inputs, which could lead to an infinite loop. If a user or application
were tricked into opening a specially crafted file, an attacker could
possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS. (CVE-2024-28243)

Tobias S. Fink discovered that KaTeX did not correctly block certain
URL protocols. If a user or system were tricked into opening a specially
crafted file, an attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-28246)

It was discovered that KaTeX did not correctly handle certain inputs. If
a user or system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 22.04 LTS. (CVE-2024-28245)

Sean Ng discovered that KaTeX did not correctly handle certain inputs. If
a user or system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2025-23207)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
25.04 plucky katex –  0.16.10+~cs6.1.0-2ubuntu0.25.04.1
libjs-katex –  0.16.10+~cs6.1.0-2ubuntu0.25.04.1
24.10 oracular katex –  0.16.10+~cs6.1.0-2ubuntu0.24.10.1
libjs-katex –  0.16.10+~cs6.1.0-2ubuntu0.24.10.1
24.04 noble katex –  0.16.10+~cs6.1.0-2ubuntu0.24.04.1~esm1  
libjs-katex –  0.16.10+~cs6.1.0-2ubuntu0.24.04.1~esm1  
22.04 jammy katex –  0.13.11+~cs6.0.0-2ubuntu0.1~esm1  
libjs-katex –  0.13.11+~cs6.0.0-2ubuntu0.1~esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›