https://mathjax.rstudio.com/latest/MathJax.js has security vulnerabilities

General
1

https://mathjax.rstudio.com/latest/MathJax.js points to MathJax 2.7.2.

MathJax 2.7.2 is affected by the following vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2018-1999024 (fixed by 2.7.4)
https://nvd.nist.gov/vuln/detail/CVE-2023-39663 (still present in 2.7.9, disputed by vendor)

I recommend the site point to 2.7.9, which should be backwards compatible with 2.7.2. The next version after 2.7.9 is 3.0, which has many breaking changes.

2.7.9 can be found at https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.9/MathJax.min.js

See also MathJax 2.7.2 dependency has security vulnerabilities · Issue #2557 · rstudio/rmarkdown (github.com)

2

perhaps you could bump this issue ; I'm thinking its related :
Update to latest release of MathJax 2.7 · Issue #11535 · rstudio/rstudio (github.com)
" [cderv] has reached out to ask about the ownership of mathjax.rstudio.com, but not yet received a response"

3

Thanks @mmitchell-w and @nirgrahamuk, I've sent a note to our internal folks.

Best,
Randy

4

An update on this: mathjax.rstudio.com/latest has been updated to 2.7.9

This means all rmarkdown document using default value, will now use 2.7.9

1 Like
5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.