Unrated severityNVD Advisory· Published May 11, 2023· Updated Nov 3, 2025

CVE-2023-32668

Description

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Affected products

LuaTeX/LuaTeXdescription
osv-coords
pkg:rpm/opensuse/texlive&distro=openSUSE%20Tumbleweed
Range: < 2023.20230311.svn34398-90.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLogmitre
gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0mitre
tug.org/pipermail/tex-live/2023-May/049188.htmlmitre
tug.org/~mseven/luatex.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000