CVE-2020-37012 Overview
Tea LaTeX 1.0 contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action. This vulnerability stems from improper input validation (CWE-78: OS Command Injection), enabling complete system compromise without any authentication requirements.
Critical Impact
Unauthenticated attackers can achieve full remote code execution on systems running Tea LaTeX 1.0 by injecting shell commands through the LaTeX processing API, potentially leading to complete server compromise.
Affected Products
- Tea LaTeX 1.0
- Systems exposing the /api.php endpoint
- Web applications utilizing the tex2png API action
Discovery Timeline
- 2026-01-29 - CVE CVE-2020-37012 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-37012
Vulnerability Analysis
This vulnerability is classified as OS Command Injection (CWE-78), a severe flaw where user-supplied input is incorporated into operating system commands without proper sanitization. The Tea LaTeX application processes LaTeX documents and converts them to images via the tex2png API action accessible through /api.php. The application fails to adequately validate and sanitize LaTeX content before passing it to the underlying system shell for processing.
LaTeX, as a document preparation system, supports various commands that can interact with the underlying operating system. When the application processes user-supplied LaTeX content without proper restrictions, attackers can leverage LaTeX's \write18 directive or similar mechanisms to execute arbitrary shell commands. Since the endpoint requires no authentication, any network-accessible attacker can exploit this vulnerability to gain code execution privileges on the server.
Root Cause
The root cause is insufficient input validation and sanitization in the LaTeX processing pipeline. The application directly processes user-supplied LaTeX content without restricting dangerous LaTeX primitives that enable shell command execution. The tex2png API action passes untrusted input to the LaTeX compiler, which may be configured to allow shell escapes, permitting arbitrary command execution through LaTeX directives.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the /api.php endpoint with the tex2png action, embedding malicious LaTeX code containing shell commands. When the server processes this LaTeX content, the embedded commands are executed with the privileges of the web server process.
The exploitation process involves:
- Identifying an exposed Tea LaTeX instance with an accessible /api.php endpoint
- Crafting a LaTeX document containing shell escape commands (e.g., using \write18 or \immediate\write18)
- Sending the malicious payload to the tex2png API action
- The LaTeX compiler processes the document and executes the embedded shell commands
Technical details and proof-of-concept information are available in the Exploit-DB entry #48805 and the VulnCheck Advisory.
Detection Methods for CVE-2020-37012
Indicators of Compromise
- Unusual HTTP POST requests to /api.php containing LaTeX syntax with shell escape commands
- Presence of \write18, \immediate\write18, or similar LaTeX primitives in request payloads
- Unexpected child processes spawned by the LaTeX compiler (e.g., pdflatex, latex, tex)
- Web server logs showing repeated requests to /api.php?action=tex2png with suspicious payloads
Detection Strategies
- Deploy web application firewall (WAF) rules to inspect and block requests containing LaTeX shell escape directives (\write18, \immediate\write18, \input{|...})
- Monitor process trees for unexpected command execution originating from LaTeX-related processes
- Implement intrusion detection signatures for HTTP traffic targeting /api.php with command injection patterns
- Review web server access logs for anomalous patterns targeting the Tea LaTeX API endpoint
Monitoring Recommendations
- Enable verbose logging on the web application to capture full request bodies for forensic analysis
- Configure endpoint detection and response (EDR) solutions to alert on shell commands spawned by LaTeX compiler processes
- Set up alerts for outbound network connections initiated by the web server process that may indicate reverse shell activity
- Monitor file system activity in web-accessible directories for unauthorized file creation or modification
How to Mitigate CVE-2020-37012
Immediate Actions Required
- Remove or disable access to the /api.php endpoint if the LaTeX conversion functionality is not required
- Implement network-level access controls to restrict access to the Tea LaTeX application from trusted sources only
- If the application must remain accessible, place it behind a reverse proxy with strict request filtering
- Audit systems for signs of prior exploitation and investigate any suspicious activity
Patch Information
Refer to the GitHub Repository for updated versions or patches addressing this vulnerability. The VulnCheck Advisory provides additional remediation guidance.
Workarounds
- Configure the LaTeX compiler to run in restricted mode by disabling shell escapes (e.g., use --no-shell-escape flag for pdflatex)
- Implement a strict allowlist of permitted LaTeX commands and filter out dangerous primitives before processing
- Run the LaTeX processing service in a sandboxed environment with minimal privileges and no network access
- Deploy input validation to reject LaTeX content containing shell escape sequences before processing
# Disable shell escapes in LaTeX compiler configuration
# Add to texmf.cnf or as command-line argument
shell_escape = f
# Or run pdflatex with restricted mode
pdflatex --no-shell-escape document.tex
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
