Headline
CVE-2023-39663: Vulnerable regex in MathJax v2 could potentially lead to a ReDoS attack · Issue #3074 · mathjax/MathJax
Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern.
****Replace the text below with the details of the issue you are facing.
DO NOT simply erase the form and type a free-form response.******Issue Summary**
MathJax v2 contains two highly vulnerable regex patterns in MathJax.js: pattern and markdownPattern.
pattern: /%(\d+|{\d+}|{[a-z]+:%\d+(?:|(?:%{\d+}|%.|[^}])*)+}|.)/
markdownPattern: /(%.)|(*{1,3})((?:%.|.)+?)\2|(`+)((?:%.|.)+?)\4|[((?:%.|.)+?)](([^\s)]+))/
These regex patterns are susceptible to ReDoS (Regular Expression Denial of Service) attacks. If an attacker can control the message passed into MathJax.Message.Set() or MathJax.Localization._(), it could potentially trigger a ReDoS attack.
Steps to Reproduce:
- use MathJax.Message.Set(["msg","%{a:%0||||||||||||||||||||||||||||||||||",5]);
or MathJax.Localization._("123", “%{a:%0||||||||||||||||||||||||||||||||||”);
With recheck, these two patterns are consider to be exponential ReDos.
Technical details:
- MathJax Version: <=2.7.9
- Client OS: Mac OS X 12.1
- Browser: Edge 115.0.1901.183
I am using the following MathJax configuration:
MathJax.Hub.Config({ tex2jax: { inlineMath: [[“$","$”],["\\(","\\)"]], displayMath: [[‘$$’,’$$’], ["\\[","\\]"]] } });
and loading MathJax via
<script src="http://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js?config=TeX-AMS_CHTML-full"></script>
Supporting information:
- Please supply a link to a (live) minimal example page, when possible.
- If your issue is with the display of the mathematics produced by MathJax, include a screen snapshot that illustrates the problem, when possible.
- Check your browser console window for any error messages, and include them here.
- Include the MathJax configuration you are using, and the script tag that loads MathJax itself.