CVE-2024-45312

Name of the Vulnerable Software and Affected Versions Overleaf Community Edition and Server Pro versions prior to 5.0.7 Overleaf Community Edition and Server Pro versions 4.x prior to 4.2.7

Description Overleaf is a web-based collaborative LaTeX editor. The issue allows an arbitrary language parameter in client spelling requests to be passed to the aspell executable running on the server, causing aspell to attempt to load a dictionary file with an arbitrary filename. File access is limited to the scope of the Overleaf server.

Recommendations For versions prior to 5.0.7, upgrade to version 5.0.7 or later using the Overleaf toolkit bin/upgrade command. For versions 4.x prior to 4.2.7, upgrade to version 4.2.7 or later using the Overleaf toolkit bin/upgrade command. As a temporary workaround for users unable to upgrade, block POST requests to "/spelling/check" via a Web Application Firewall to prevent access to the vulnerable spell check feature.