[USN-7572-1] KaTeX vulnerabilities

[noreply+usn-bot]

==========================================================================
Ubuntu Security Notice USN-7572-1
June 17, 2025

node-katex vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in KaTeX.

Software Description:
- node-katex: JavaScript library for TeX math rendering

Details:

Juho Forsén discovered that KaTeX did not correctly handle certain
inputs, which could lead to an infinite loop. If a user or application
were tricked into opening a specially crafted file, an attacker could
possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS. (CVE-2024-28243)

Tobias S. Fink discovered that KaTeX did not correctly block certain
URL protocols. If a user or system were tricked into opening a specially
crafted file, an attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-28246)

It was discovered that KaTeX did not correctly handle certain inputs. If
a user or system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 22.04 LTS. (CVE-2024-28245)

Sean Ng discovered that KaTeX did not correctly handle certain inputs. If
a user or system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2025-23207)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  katex                           0.16.10+~cs6.1.0-2ubuntu0.25.04.1
  libjs-katex                     0.16.10+~cs6.1.0-2ubuntu0.25.04.1

Ubuntu 24.10
  katex                           0.16.10+~cs6.1.0-2ubuntu0.24.10.1
  libjs-katex                     0.16.10+~cs6.1.0-2ubuntu0.24.10.1

Ubuntu 24.04 LTS
  katex                           0.16.10+~cs6.1.0-2ubuntu0.24.04.1~esm1
                                  Available with Ubuntu Pro
  libjs-katex                     0.16.10+~cs6.1.0-2ubuntu0.24.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  katex                           0.13.11+~cs6.0.0-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  libjs-katex                     0.13.11+~cs6.0.0-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7572-1
  CVE-2024-28243, CVE-2024-28245, CVE-2024-28246, CVE-2025-23207

Package Information:
  
https://launchpad.net/ubuntu/+source/node-katex/0.16.10+~cs6.1.0-2ubuntu0.25.04.1
  
https://launchpad.net/ubuntu/+source/node-katex/0.16.10+~cs6.1.0-2ubuntu0.24.10.1

signature.asc
Description: OpenPGP digital signature