CVE-2023-32668: 
Linux Debian vulnerability analysis and mitigation

LuaTeX before version 1.17.0 contains a vulnerability that allows documents compiled with default settings to make arbitrary network requests. This security issue occurs because full access to the socket library is permitted by default, as documented. The vulnerability affects TeX Live before 2023 r66984 and MiKTeX before 23.5 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The issue stems from LuaTeX's default configuration where the luasocket module is enabled, allowing network requests directly from LuaTeX documents. This functionality has been present since version 0.27.0, introduced in 2008 (LuaTeX Security).

The vulnerability could allow malicious documents to download dangerous files to the user's computer or enable malicious packages to upload files to remote servers. This poses a significant security risk for users who compile documents from untrusted sources (LuaTeX Security).

The vulnerability was fixed in LuaTeX version 1.17.0, where the socket library is disabled by default. Users can re-enable the socket module at runtime by compiling with either LUATEX --socket or LUATEX --shell-escape. For users unable to upgrade, network access can be blocked by compiling documents with LUATEX --nosocket (LuaTeX Security).