CVE-2024-28246

CVE-2024-28246 is a medium-severity security vulnerability in katex (npm), affecting versions >= 0.11.0, < 0.16.10. It is fixed in 0.16.10.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols

Workarounds

  • Allow-list instead of block protocols in your trust function.
  • Manually lowercase context.protocol via context.protocol.toLowerCase() before attempting to check for certain protocols.
  • Avoid use of or turn off the trust option.

Details

KaTeX did not normalize the protocol entry of the context object provided to a user-specified trust-function, so it could be a mix of lowercase and/or uppercase letters.

It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:

Allow all commands but forbid specific protocol: trust: (context) => context.protocol !== 'file'

Currently KaTeX internally sees file: and File: URLs as different protocols, so context.protocol can be file or File, so the above check does not suffice. A simple workaround would be:

trust: (context) => context.protocol.toLowerCase() !== 'file'

Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:

Although schemes are case-insensitive, the canonical form is lowercase and documents that specify schemes must do so with lowercase letters. An implementation should accept uppercase letters as equivalent to lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the sake of robustness but should only produce lowercase scheme names for consistency.

Impact

Code that uses KaTeX's trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the output, even if the trust function tries to forbid this protocol via trust: (context) => context.protocol !== 'javascript'.

CVE-2024-28246 has a CVSS score of 5.5 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.16.10); upgrading removes the vulnerable code path.

Affected versions

katex (>= 0.11.0, < 0.16.10)

Security releases

katex → 0.16.10 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade to KaTeX v0.16.10 to remove this vulnerability.

Frequently Asked Questions

  1. What is CVE-2024-28246? CVE-2024-28246 is a medium-severity security vulnerability in katex (npm), affecting versions >= 0.11.0, < 0.16.10. It is fixed in 0.16.10.
  2. How severe is CVE-2024-28246? CVE-2024-28246 has a CVSS score of 5.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of katex are affected by CVE-2024-28246? katex (npm) versions >= 0.11.0, < 0.16.10 is affected.
  4. Is there a fix for CVE-2024-28246? Yes. CVE-2024-28246 is fixed in 0.16.10. Upgrade to this version or later.
  5. Is CVE-2024-28246 exploitable, and should I be worried? Whether CVE-2024-28246 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-28246 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-28246? Upgrade katex to 0.16.10 or later.

Other vulnerabilities in katex

Stop the waste.
Protect your environment with Kodem.