CVE-2025-23207: 
JavaScript vulnerability analysis and mitigation

KaTeX, a fast JavaScript library for TeX math rendering on the web, was found to contain a security vulnerability (CVE-2025-23207) discovered on January 17, 2025. The vulnerability affects versions greater than or equal to 0.12.0 and less than or equal to 0.16.20. The issue specifically involves the renderToString function when processing untrusted mathematical expressions using the \htmlData command (GitHub Advisory, NVD).

The vulnerability stems from insufficient validation of attribute names in the \htmlData command. When processing mathematical expressions, the function failed to properly validate HTML attribute names, allowing for the generation of invalid or potentially malicious HTML. The issue has been assigned a CVSS v3.1 base score of 6.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output) (GitHub Advisory).

The vulnerability could allow attackers to execute arbitrary JavaScript through maliciously crafted mathematical expressions or generate invalid HTML when using the renderToString function with untrusted input. This poses potential security risks for applications that process user-supplied mathematical content using KaTeX (GitHub Advisory).

Users are advised to upgrade to KaTeX version 0.16.21 which contains the fix for this vulnerability. For those unable to upgrade immediately, several workarounds are available: disable or turn off the trust option, configure it to forbid \htmlData commands, block inputs containing the substring \htmlData, and implement HTML output sanitization. A patch has been implemented to validate HTML attribute names properly (GitHub Advisory, Red Hat).