CVE-2023-32668

Name of the Vulnerable Software and Affected Versions LuaTeX versions prior to 1.17.0 TeX Live versions prior to 2023 r66984 MiKTeX versions prior to 23.5

Description The issue allows a document, compiled with default settings, to make arbitrary network requests due to full access to the socket library being permitted by default. This is stated in the documentation and can be exploited by a remote attacker to execute arbitrary commands. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.

Recommendations For LuaTeX versions prior to 1.17.0, update to version 1.17.0 or later to resolve the issue. For TeX Live versions prior to 2023 r66984, update to version 2023 r66984 or later to resolve the issue. For MiKTeX versions prior to 23.5, update to version 23.5 or later to resolve the issue. As a temporary workaround, consider disabling the socket library until a patch is available. Restrict access to the socket library to minimize the risk of exploitation.