GHSA-qwj6-q94f-8425

Source

https://github.com/advisories/GHSA-qwj6-q94f-8425

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qwj6-q94f-8425/GHSA-qwj6-q94f-8425.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qwj6-q94f-8425

Aliases

CVE-2025-29049

Related

CVE-2025-29049

Published

2025-01-21T21:17:52Z

Modified

2025-04-02T01:12:10.000085Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

MathLive's Lack of Escaping of HTML allows for XSS

Details

Summary

Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.

Details

Overall in the code, other than in the test folder, no functions escaping HTML can be seen.

PoC

Go to https://cortexjs.io/mathlive/demo/
Paste either \htmlData{><img/onerror=alert(1)"src=}{} or \htmlData{x=" ><img/onerror=alert(1) src>}{} in the LaTeX textarea.

Impact

MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-21T21:17:52Z"
}

References

Affected packages

npm / mathlive

Package

Name: mathlive; View open source insights on deps.dev
Purl: pkg:npm/mathlive

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.104.0

Database specific

{
    "last_known_affected_version_range": "<= 0.103.0"
}