fix(deps): update dependency katex to v0.16.10 [security] #2807
Conversation
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
📦 Next.js Bundle Analysis for docsThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! |
📦 Next.js Bundle Analysis for swr-siteThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! Five Pages Changed SizeThe following pages changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the The "Budget %" column shows what percentage of your performance budget the First Load total takes up. For example, if your budget was 100kb, and a given page's first load size was 10kb, it would be 10% of your budget. You can also see how much this has increased or decreased compared to the base branch of your PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this. If you see "+/- <0.01%" it means that there was a change in bundle size, but it is a trivial enough amount that it can be ignored. |
This PR contains the following updates:
0.16.9->0.16.10GitHub Vulnerability Alerts
CVE-2024-28244
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\defor\newcommandthat causes a near-infinite loop, despite settingmaxExpandto avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
Forbid inputs containing any of the characters
₊₋₌₍₎₀₁₂₃₄₅₆₇₈₉ₐₑₕᵢⱼₖₗₘₙₒₚᵣₛₜᵤᵥₓᵦᵧᵨᵩᵪ⁺⁻⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ᵃᵇᶜᵈᵉᵍʰⁱʲᵏˡᵐⁿᵒᵖʳˢᵗᵘʷˣʸᶻᵛᵝᵞᵟᵠᵡbefore passing them to KaTeX.(There is no easy workaround for the auto-render extension.)
Details
KaTeX supports an option named
maxExpandwhich aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.For more information
If you have any questions or comments about this advisory:
CVE-2024-28245
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\includegraphicsthat runs arbitrary JavaScript, or generate invalid HTML.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trustoption, or set it to forbid\includegraphicscommands."\\includegraphics".Details
\includegraphicsdid not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.For more information
If you have any questions or comments about this advisory:
CVE-2024-28246
Impact
Code that uses KaTeX's
trustoption, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generatejavascript:links in the output, even if thetrustfunction tries to forbid this protocol viatrust: (context) => context.protocol !== 'javascript'.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trustfunction.context.protocolviacontext.protocol.toLowerCase()before attempting to check for certain protocols.trustoption.Details
KaTeX did not normalize the
protocolentry of thecontextobject provided to a user-specifiedtrust-function, so it could be a mix of lowercase and/or uppercase letters.It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:
Currently KaTeX internally sees
file:andFile:URLs as different protocols, socontext.protocolcan befileorFile, so the above check does not suffice. A simple workaround would be:Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:
CVE-2024-28243
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\edefthat causes a near-infinite loop, despite settingmaxExpandto avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
Forbid inputs containing the substring
"\\edef"before passing them to KaTeX.(There is no easy workaround for the auto-render extension.)
Details
KaTeX supports an option named
maxExpandwhich prevents infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. However, what counted as an "expansion" is a single macro expanding to any number of tokens. The expand-and-define TeX command\edefcan be used to build up an exponential number of tokens using only a linear number of expansions according to this definition, e.g. by repeatedly doubling the previous definition. This has been corrected in KaTeX v0.16.10, where every expanded token in an\edefcounts as an expansion.For more information
If you have any questions or comments about this advisory:
Release Notes
KaTeX/KaTeX (katex)
v0.16.10Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.