latex-shell-escape-command-execution
LaTeX --shell-escape Command Execution
This notes down how LaTeX can be abused to gain command execution when pdflatex is executed with the --shell-escape option enabled.
When a web application compiles untrusted LaTeX documents using:
pdflatex --shell-escape file.tex
it allows the document to execute system-level shell commands, which can lead to Remote Code Execution (RCE).
What is --shell-escape?
Normally, LaTeX documents are limited to typesetting and document processing.
However, when compiled with:
--shell-escape
LaTeX enables the execution of external system commands via:
\write18\immediate\write18- Certain packages that invoke shell commands
This feature is intended for:
- Running external scripts
- Generating images (e.g., via
gnuplot) - Automating document workflows
But if enabled on untrusted input, it becomes dangerous.
Attack Concept
LaTeX can execute shell commands using:
\immediate\write18{command}
Example:
\documentclass{article}
\begin{document}
Hello World
\immediate\write18{id}
\end{document}
If compiled with --shell-escape, this runs the id command on the host system.
