CVE-2025-23207: \htmlData does not validate attribute names in KaTeX
First published: Fri Jan 17 2025(Updated: )
### Impact KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. ### Patches Upgrade to KaTeX v0.16.21 to remove this vulnerability. ### Workarounds - Avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands. - Forbid inputs containing the substring `"\\htmlData"`. - Sanitize HTML output from KaTeX. ### Details `\htmlData` did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts. ### For more information If you have any questions or comments about this advisory: - Open an issue or security advisory in the [KaTeX repository](https://github.com/KaTeX/KaTeX/) - Email us at [katex-security@mit.edu](mailto:katex-security@mit.edu)
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/katex | >=0.12.0<=0.16.20 | 0.16.21 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-cg87-wmx4-v546
- alias/CVE-2025-23207
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/description
- agent/type
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/npm