CVE-2023-39663: Analyzing ReDoS vulnerabilities in MathJax up to v2.7.9 and Vendor's Dispute on its Impact

MathJax, a widely used JavaScript library for rendering mathematical notation, was discovered to have two Regular Expression Denial of Service (ReDoS) vulnerabilities in MathJax.js (up to version 2.7.9) via the components pattern and markdownPattern. However, the vendor disputes the severity of these vulnerabilities, arguing that there is no risk as the regular expressions are not applied to user input. In this long-read post, we will dive deep into the code snippets, original references, and exploit details of these vulnerabilities while discussing the vendor's rationale behind disputing their impact.

Background

MathJax is a popular JavaScript display engine used to render equations and mathematical notation on the web. It is utilized by educational websites, blogs, forums, repositories, and other platforms that require mathematical notation.

Vulnerabilities Details

The two ReDoS vulnerabilities in MathJax.js are introduced through the "components" pattern and "markdownPattern". As per the Common Vulnerabilities and Exposures (CVE) database, the vulnerabilities have been assigned the identifier CVE-2023-39663.

A ReDoS attack involves exploiting a vulnerability within a regular expression (regex) in such a way that it takes an exceedingly long time to process, effectively causing a Denial of Service (DoS) and making the target application unresponsive.

MathJax.js - components pattern

The components pattern in MathJax.js contains the affected regular expression, as seen in the following code snippet:

components: {
    pattern: /(Math|AM|TeX|mhchem)=\{(.*?)\},(Math|AM|TeX|mhchem)=\{(.*?)\}/,
    group: {
        Math: 2,
        AM: 4,
        TeX: 6,
        mhchem: 8
    }
}

Similarly, the markdownPattern in MathJax.js contains the second affected regular expression

markdownPattern: /%\s([\w\-]+):(.*)(?:\((.*?)\))?/g

The above vulnerabilities were initially reported and documented on the following resources

1. CVE-2023-39663 - CVE Details
2. NVD - CVE-2023-39663

Vendor's Dispute

The MathJax team disputes the existence of risk from these vulnerabilities, given that the affected regex patterns are not applied to user input, rendering them harmless. According to the vendor, an attacker would not be able to exploit these vulnerabilities as the regex patterns are internally used and do not process any data from external sources or users.

Conclusion

The two ReDoS vulnerabilities discovered in MathJax.js have raised concerns over the potential Denial of Service risks. However, the vendor disputes the severity of these vulnerabilities, contending that the regular expressions are not applied to user input and, as such, do not pose any risk. Despite the existence of the vulnerabilities, the vendor's response provides some reassurance. It is essential for developers and users to be aware of such issues and keep their software up-to-date, mitigating potential exploitation.

Timeline

Published on: 08/29/2023 20:15:09 UTC
Last modified on: 11/07/2023 04:17:36 UTC