CVE-2025-23207

CVE-2025-23207 is a vulnerability in KaTeX, a JavaScript library for rendering TeX mathematical expressions on the web. It affects KaTeX users who invoke the `renderToString` function on untrusted mathematical input, allowing malicious expressions containing the `\htmlData` command to execute arbitrary JavaScript or produce invalid HTML output. The issue is rated with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-116 (Improper Encoding or Escaping of Output) and CWE-79 (Cross-site Scripting).

An attacker can exploit this vulnerability over the network with low complexity and low privileges required, without needing user interaction and without changing the scope. By supplying crafted mathematical input containing `\htmlData` to a targeted application using KaTeX's `renderToString`, the attacker achieves low-impact confidentiality, integrity, and availability effects, primarily through arbitrary JavaScript execution (such as cross-site scripting) or malformed HTML generation.

The KaTeX security advisory and related commit recommend upgrading to version 0.16.21, which removes the vulnerability. For users unable to upgrade, mitigations include avoiding or disabling the `trust` option, configuring it to forbid `\htmlData` commands, rejecting inputs containing the substring `"\\htmlData"`, and sanitizing the resulting HTML output from KaTeX. Details are available in the GitHub security advisory (GHSA-cg87-wmx4-v546) and the fixing commit (ff289955e81aab89086eef09254cbf88573d415c).