Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MathJax 2.7.2 dependency has security vulnerabilities #2557

Open
1 of 5 tasks
mmitchell-w opened this issue May 21, 2024 · 3 comments
Open
1 of 5 tasks

MathJax 2.7.2 dependency has security vulnerabilities #2557

mmitchell-w opened this issue May 21, 2024 · 3 comments
Labels
external related to external issue from upstream / downstream tools

Comments

@mmitchell-w
Copy link

RMarkdown depends on https://mathjax.rstudio.com/latest/MathJax.js, which points to MathJax 2.7.2.

MathJax 2.7.2 is affected by the following vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2018-1999024 (fixed by 2.7.4)
https://nvd.nist.gov/vuln/detail/CVE-2023-39663 (still present in 2.7.9, disputed by vendor)

I recommend the package depend on 2.7.9, which should be backwards compatible with 2.7.2. The next version after 2.7.9 is 3.0, which has many breaking changes.

From https://www.mathjax.org/cdn-shutting-down/

We recommend cdnjs which also uses CloudFlare for delivery (and on the higher “enterprise” level!). We have been in touch with cdnjs’s maintainers and will help push future MathJax releases to cdnjs.

I recommend that RMarkdown use https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.9/MathJax.min.js as its default instead of https://mathjax.rstudio.com/latest/MathJax.js.

In our case, we weren't using MathJax's features, so we turned MathJax off using the yaml directive output: mathjax: null. Note that the comment // initialize mathjax remains in the rendered HTML.

See https://github.com/rstudio/rmarkdown/blob/main/R/shiny.R line 385 and https://github.com/rstudio/rmarkdown/blob/main/R/html_document_base.R line 269.

Checklist

When filing a bug report, please check the boxes below to confirm that you have provided us with the information we need. Have you:

  • formatted your issue so it is easier for us to read?

  • included a minimal, self-contained, and reproducible example?

  • pasted the output from xfun::session_info('rmarkdown') in your issue?

  • upgraded all your packages to their latest versions (including your versions of R, the RStudio IDE, and relevant R packages)?

  • installed and tested your bug with the development version of the rmarkdown package using remotes::install_github("rstudio/rmarkdown") ?
@mmitchell-w
Copy link
Author

https://forum.posit.co/t/https-mathjax-rstudio-com-latest-mathjax-js-has-security-vulnerabilities/186991

A post to RStudio to try to get them to update https://mathjax.rstudio.com/latest/MathJax.js to point to https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.9/MathJax.min.js.

@mmitchell-w
Copy link
Author

See also rstudio/rstudio#11535

@mmitchell-w mmitchell-w mentioned this issue May 21, 2024
Closed
@cderv cderv added the external related to external issue from upstream / downstream tools label May 21, 2024
@cderv
Copy link
Collaborator

cderv commented May 21, 2024
edited
Loading

Related also to

rstudio/rstudio#11535 is the right place to follow this, as rmarkdown defaults to using this version. Depending on the reply there, we'll consider alternative.

It is possible to change Mathjax version already using parameters in output formats in the meantime

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
external related to external issue from upstream / downstream tools
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cderv @mmitchell-w