Critical Severity
CVE-2024-40446
Published: Jun 24, 2025
This repository serves as the public reference for CVE-2024-40445 and CVE-2024-40446. Both vulnerabilities impact MimeTeX, an open-source software package for rendering LaTeX expressions, which appears to be no longer maintained.
# MimeTeX Vulnerability Reference (CVE-2024-40445 & CVE-2024-40446)
This repository serves as the public reference for the security issues CVE-2024-40445 and CVE-2024-40446 affecting [MimeTeX](https://ctan.org/pkg/mimetex), a lightweight open-source LaTeX renderer written in C.
> ⚠️ MimeTeX appears to be no longer actively maintained. Users and developers are strongly encouraged to assess the risks before using it in production environments.
## Vulnerabilities
### CVE-2024-40445 — Directory Traversal
A directory traversal vulnerability exists in MimeTeX prior to version 1.77. When operating in command-line or CGI mode, crafted user input can be used to perform unauthorized file access operations on Windows System.
### CVE-2024-40446 — Code Injection
MimeTeX versions from 1.76 up to 1.77 contain a code injection vulnerability. A malicious input string, when parsed by the engine, can trigger unintended command execution.
## Possibly Affected Users
If you are a user of Moodle, which appears to be one of the main platforms still using MimeTeX, please refer to their [advisory](https://moodle.org/mod/forum/discuss.php?d=467592) for mitigation guidance.
## Mitigation
If you are using MimeTeX:
- **Stop using it**, as it appears to be unmaintained and vulnerable.
- **Restrict user input** if usage cannot be immediately discontinued.
- **Isolate the service** using sandboxing or containerization to limit the impact of potential exploits.
## Disclaimer
This repository is for informational purposes only. Technical details have been redacted to minimize potential risks to users and systems still using affected versions.
---
**CVE IDs:** [CVE-2024-40445](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40445), [CVE-2024-40446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40446)
**Vendor:** forkosh
**Status:** Affected versions are no longer actively maintained.