CVE-2023-32700 Overview
CVE-2023-32700 is a command injection vulnerability affecting LuaTeX before version 1.17.0 that allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. The vulnerability exists because luatex-core.lua permits access to the original io.popen function, enabling attackers to execute system commands through specially crafted TeX documents.
This vulnerability impacts multiple popular TeX distributions including TeX Live and MiKTeX, which are widely used in academic, publishing, and scientific communities for document preparation. The local attack vector requires user interaction, typically through opening a malicious TeX file.
Critical Impact
Attackers can achieve arbitrary code execution on systems that compile untrusted TeX documents, potentially leading to complete system compromise, data theft, or lateral movement within a network.
Affected Products
- LuaTeX before version 1.17.0
- TeX Live before 2023 r66984
- MiKTeX before version 23.5
Discovery Timeline
- 2023-05-20 - CVE-2023-32700 published to NVD
- 2025-01-31 - Last updated in NVD database
Technical Details for CVE-2023-32700
Vulnerability Analysis
This vulnerability is classified as Command Injection (CWE-77), where untrusted input is passed to a system shell for execution. In the context of LuaTeX, the document processing engine extends TeX with Lua scripting capabilities, which provides powerful programmatic control over document compilation.
The core issue stems from the luatex-core.lua initialization file failing to properly restrict access to the io.popen function. This Lua standard library function opens a process by creating a pipe and executing a shell command. While LuaTeX implements security restrictions to prevent shell access in certain modes, the original io.popen function remained accessible, bypassing these protections.
When a user compiles a malicious TeX document, embedded Lua code can invoke io.popen to execute arbitrary commands with the privileges of the user running the TeX compiler. This is particularly dangerous in automated document processing pipelines or when users compile documents from untrusted sources such as preprint servers, online LaTeX editors, or email attachments.
Root Cause
The root cause lies in the incomplete sandboxing of Lua functions within luatex-core.lua. While the LuaTeX security model attempts to restrict dangerous operations, the implementation preserved a reference to the original io.popen function that could be accessed by malicious documents. This architectural oversight allowed attackers to bypass the intended security restrictions by directly calling the preserved function reference.
Attack Vector
The attack requires local access, meaning the attacker must convince a victim to compile a malicious TeX document. Attack scenarios include:
- Academic Collaboration: An attacker shares a malicious LaTeX file as a research paper draft or template
- Supply Chain Attacks: Compromised LaTeX packages distributed through CTAN or other repositories
- Automated Processing Systems: Document conversion services that accept user-uploaded TeX files
- Online LaTeX Editors: Shared projects containing malicious code
The attacker crafts a TeX document containing embedded Lua code that accesses the io.popen function to execute shell commands. When the victim compiles this document using an affected version of LuaTeX, the commands execute with the victim's privileges.
Detection Methods for CVE-2023-32700
Indicators of Compromise
- Unexpected child processes spawned from LuaTeX, pdflatex, or related TeX executables
- TeX compilation processes making network connections or accessing sensitive files
- Presence of suspicious Lua code in TeX documents containing io.popen, os.execute, or shell-related function calls
- Unusual system activity following document compilation operations
Detection Strategies
- Monitor process creation events where LuaTeX or TeX Live binaries spawn shell processes (/bin/sh, cmd.exe, PowerShell)
- Implement file integrity monitoring on TeX installation directories to detect unauthorized modifications
- Deploy endpoint detection rules for suspicious Lua function calls in TeX document processing
- Analyze TeX documents for embedded Lua code containing potentially dangerous function calls before compilation
Monitoring Recommendations
- Enable command-line logging and audit process creation events on systems running TeX distributions
- Configure SentinelOne to detect anomalous behavior patterns from document processing applications
- Implement network monitoring for TeX compilation processes that should not require network access
- Review automated document processing pipelines for proper input validation and sandboxing
How to Mitigate CVE-2023-32700
Immediate Actions Required
- Update LuaTeX to version 1.17.0 or later immediately
- Update TeX Live to 2023 r66984 or later
- Update MiKTeX to version 23.5 or later
- Avoid compiling TeX documents from untrusted sources until systems are patched
Patch Information
Security patches have been released for all affected products. Refer to the GitLab LuaTeX Tag 1.17.0 for the LuaTeX fix and GitHub TeX Live Release for the TeX Live patch. Linux distributions have also issued updates as documented in the Fedora Package Announcement.
Workarounds
- Run LuaTeX with the --shell-restricted option to limit shell access to predefined safe commands
- Process untrusted TeX documents in sandboxed environments or containers with restricted privileges
- Implement document scanning to detect potentially malicious Lua code before compilation
- Use restricted shell mode by setting the shell_escape configuration to restricted in texmf.cnf
# Configuration example for restricted shell escape in texmf.cnf
# Set shell_escape to restricted mode
shell_escape = p
# Alternatively, run LuaTeX with restricted shell access
luatex --shell-restricted document.tex
# For containerized environments, use Docker with limited privileges
docker run --rm -v $(pwd):/data --security-opt=no-new-privileges texlive/texlive luatex --shell-restricted /data/document.tex
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
