Protection mechanism failure in LuaTeX - CVE-2023-32668
Published: November 25, 2025
Vulnerability identifier: #VU118762
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-32668
CWE-ID: CWE-693
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LuaTeX
Affected software:
LuaTeX
LuaTeX
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the application allows a document (compiled with the default settings) to make arbitrary network requests. A remote attacker can trick the victim into opening a specially crafted document and gain access to sensitive information.
How to mitigate CVE-2023-32668
Install updates from vendor's website.
Sources
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://lists.debian.org/debian-lts-announce/2024/10/msg00032.html