CVE-2023-39663
Publication date 29 August 2023
Last updated 4 August 2025
Ubuntu priority
Description
Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there is no risk.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mathjax | ||
| 22.04 LTS jammy | Ignored not a vulnerability | |
| 20.04 LTS focal | Ignored not a vulnerability | |
| 18.04 LTS bionic | Ignored not a vulnerability | |
| 16.04 LTS xenial | Ignored not a vulnerability | |
| 14.04 LTS trusty | Ignored not a vulnerability |
Notes
alexmurray
Upstream dispute this CVE since these components are internal to MathJax.js and cannot be influenced by a user / attacker so there is no way to abuse this as a ReDoS
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |