CVE-2023-32668 is a vulnerability in LuaTeX, a TeX engine that integrates the Lua scripting language, which allows documents compiled with default settings to perform arbitrary network requests. This occurs because the socket library is enabled by default without restrictions, permitting Lua scripts embedded in TeX documents to open network connections. The vulnerability affects LuaTeX versions before 1.17.0, TeX Live distributions before 2023 r66984, and MiKTeX versions before 23.5. An attacker can craft a malicious TeX document that, when compiled or processed by a vulnerable engine, initiates network connections potentially leaking sensitive information or communicating with attacker-controlled servers. The CVSS 3.1 base score is 5.5 (medium severity), reflecting that exploitation requires local access and user interaction but no privileges, and impacts confidentiality without affecting integrity or availability. No known exploits have been reported in the wild. The vulnerability highlights the risk of enabling powerful scripting capabilities with network access in document processing tools, which are often trusted and widely used in academic, publishing, and research environments.

For European organizations, this vulnerability could lead to unauthorized data exfiltration or network reconnaissance if malicious TeX documents are processed in vulnerable environments. Academic institutions, research centers, and publishing houses that frequently use LuaTeX or TeX Live/MiKTeX distributions are particularly at risk. Confidential information embedded in documents or accessible during compilation could be leaked. Although the vulnerability does not directly compromise system integrity or availability, the ability to make arbitrary network requests can facilitate further attacks such as command and control communication or data leakage. The requirement for user interaction (opening or compiling a malicious document) limits large-scale automated exploitation but does not eliminate targeted attacks. Organizations relying on automated document processing pipelines should be cautious, as these could be abused to trigger the vulnerability without direct user action.

1. Upgrade LuaTeX to version 1.17.0 or later, and update TeX Live to 2023 r66984 or newer, and MiKTeX to version 23.5 or later to apply official patches that restrict socket library access. 2. Configure LuaTeX and related TeX engines to disable or sandbox network capabilities where possible, especially in automated or multi-user environments. 3. Implement strict document handling policies to verify the source and integrity of TeX documents before processing. 4. Use network-level controls such as firewall rules or application-layer proxies to restrict outbound connections from systems used for document compilation. 5. Educate users about the risks of opening untrusted TeX documents and encourage scanning or sandboxing before processing. 6. Monitor network traffic from document processing systems for unusual outbound connections that could indicate exploitation attempts.