From 00a304e89043ba5755d8d23b8786109a8b7be420 Mon Sep 17 00:00:00 2001 From: Jose Ignacio Palma Date: Tue, 16 Jun 2026 01:02:32 -0400 Subject: [PATCH] fix: update MathJax CDN from 2.7.5 to 2.7.9 (CVE-2023-39663) MathJax 2.7.5 is vulnerable to ReDoS (Regular Expression Denial of Service) via CVE-2023-39663. This updates all CDN references to use MathJax 2.7.9 which includes the fix. --- cms/djangoapps/pipeline_js/js/xmodule.js | 2 +- cms/static/cms/js/require-config.js | 2 +- cms/static/cms/js/spec/main.js | 2 +- cms/static/cms/js/spec/main_squire.js | 2 +- common/static/common/js/discussion/mathjax_include.js | 2 +- common/templates/mathjax_include.html | 2 +- common/templates/xblock_v2/xblock_iframe.html | 2 +- lms/static/lms/js/spec/main.js | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cms/djangoapps/pipeline_js/js/xmodule.js b/cms/djangoapps/pipeline_js/js/xmodule.js index 8a19355c1a93..3f291cd5fcdc 100644 --- a/cms/djangoapps/pipeline_js/js/xmodule.js +++ b/cms/djangoapps/pipeline_js/js/xmodule.js @@ -18,7 +18,7 @@ define( window._ = _; $script( - 'https://cdn.jsdelivr.net/npm/mathjax@2.7.5/MathJax.js' + 'https://cdn.jsdelivr.net/npm/mathjax@2.7.9/MathJax.js' + '?config=TeX-MML-AM_SVG&delayStartupUntil=configured', 'mathjax', function() { diff --git a/cms/static/cms/js/require-config.js b/cms/static/cms/js/require-config.js index d2bc6341ebba..70bf6b130600 100644 --- a/cms/static/cms/js/require-config.js +++ b/cms/static/cms/js/require-config.js @@ -137,7 +137,7 @@ 'jquery_extend_patch': 'js/src/jquery_extend_patch', // externally hosted files - mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.5/MathJax.js?config=TeX-MML-AM_SVG&delayStartupUntil=configured', // eslint-disable-line max-len + mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.9/MathJax.js?config=TeX-MML-AM_SVG&delayStartupUntil=configured', // eslint-disable-line max-len 'youtube': [ // youtube URL does not end in '.js'. We add '?noext' to the path so // that require.js adds the '.js' to the query component of the URL, diff --git a/cms/static/cms/js/spec/main.js b/cms/static/cms/js/spec/main.js index 4e093ee573b4..aaad0a7c349c 100644 --- a/cms/static/cms/js/spec/main.js +++ b/cms/static/cms/js/spec/main.js @@ -69,7 +69,7 @@ 'domReady': 'xmodule_js/common_static/js/vendor/domReady', 'URI': 'xmodule_js/common_static/js/vendor/URI.min', 'mock-ajax': 'xmodule_js/common_static/js/vendor/mock-ajax', - mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.5/MathJax.js?config=TeX-MML-AM_SVG&delayStartupUntil=configured', // eslint-disable-line max-len + mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.9/MathJax.js?config=TeX-MML-AM_SVG&delayStartupUntil=configured', // eslint-disable-line max-len 'youtube': '//www.youtube.com/player_api?noext', 'js/src/ajax_prefix': 'xmodule_js/common_static/js/src/ajax_prefix', 'js/spec/test_utils': 'js/spec/test_utils' diff --git a/cms/static/cms/js/spec/main_squire.js b/cms/static/cms/js/spec/main_squire.js index 8feb05692273..9885a70d28e1 100644 --- a/cms/static/cms/js/spec/main_squire.js +++ b/cms/static/cms/js/spec/main_squire.js @@ -48,7 +48,7 @@ 'draggabilly': 'xmodule_js/common_static/js/vendor/draggabilly', 'domReady': 'xmodule_js/common_static/js/vendor/domReady', 'URI': 'xmodule_js/common_static/js/vendor/URI.min', - mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.5/MathJax.js?config=TeX-MML-AM_SVG&delayStartupUntil=configured', // eslint-disable-line max-len + mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.9/MathJax.js?config=TeX-MML-AM_SVG&delayStartupUntil=configured', // eslint-disable-line max-len 'youtube': '//www.youtube.com/player_api?noext', 'js/src/ajax_prefix': 'xmodule_js/common_static/js/src/ajax_prefix' }, diff --git a/common/static/common/js/discussion/mathjax_include.js b/common/static/common/js/discussion/mathjax_include.js index 074354566e1b..7a9a24aadb1e 100644 --- a/common/static/common/js/discussion/mathjax_include.js +++ b/common/static/common/js/discussion/mathjax_include.js @@ -51,6 +51,6 @@ if (typeof MathJax === 'undefined') { explorer: true } }; - vendorScript.src = 'https://cdn.jsdelivr.net/npm/mathjax@2.7.5/MathJax.js?config=TeX-MML-AM_HTMLorMML'; + vendorScript.src = 'https://cdn.jsdelivr.net/npm/mathjax@2.7.9/MathJax.js?config=TeX-MML-AM_HTMLorMML'; document.body.appendChild(vendorScript); } diff --git a/common/templates/mathjax_include.html b/common/templates/mathjax_include.html index ead5a935ee94..edb20c726b23 100644 --- a/common/templates/mathjax_include.html +++ b/common/templates/mathjax_include.html @@ -116,5 +116,5 @@ - + %endif diff --git a/common/templates/xblock_v2/xblock_iframe.html b/common/templates/xblock_v2/xblock_iframe.html index cd3096aa4626..e4a608caccb2 100644 --- a/common/templates/xblock_v2/xblock_iframe.html +++ b/common/templates/xblock_v2/xblock_iframe.html @@ -187,7 +187,7 @@ - + {{ fragment.head_html | safe }} diff --git a/lms/static/lms/js/spec/main.js b/lms/static/lms/js/spec/main.js index d8bc1417e86e..d56db0dbd534 100644 --- a/lms/static/lms/js/spec/main.js +++ b/lms/static/lms/js/spec/main.js @@ -56,7 +56,7 @@ 'squire': 'common/js/vendor/Squire', 'jasmine-imagediff': 'xmodule_js/common_static/js/vendor/jasmine-imagediff', 'domReady': 'xmodule_js/common_static/js/vendor/domReady', - mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.5/MathJax.js?config=TeX-MML-AM_HTMLorMML&delayStartupUntil=configured', // eslint-disable-line max-len + mathjax: 'https://cdn.jsdelivr.net/npm/mathjax@2.7.9/MathJax.js?config=TeX-MML-AM_HTMLorMML&delayStartupUntil=configured', // eslint-disable-line max-len 'youtube': '//www.youtube.com/player_api?noext', 'js/src/ajax_prefix': 'xmodule_js/common_static/js/src/ajax_prefix', 'js/instructor_dashboard/student_admin': 'js/instructor_dashboard/student_admin',