Login Sign Up

CVE-2019-19391

9.1 CRITICAL

📋 TL;DR

CVE-2019-19391 is a type confusion vulnerability in LuaJIT's debug.getinfo function that allows attackers to perform arbitrary memory read/write operations. This affects LuaJIT through version 2.0.5, Moonjit before 2.1.2, and other derivatives. The LuaJIT maintainer considers the debug library inherently unsafe, but many users treat this as a security vulnerability.

💻 Affected Systems

Products:
  • LuaJIT
  • Moonjit
  • products embedding LuaJIT
Versions: LuaJIT through 2.0.5, Moonjit before 2.1.2
Operating Systems: All operating systems running affected LuaJIT versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when debug library is enabled and untrusted code can be executed. Many embedded uses may have debug disabled.

📦 What is this software?

Luajit by Luajit

View all CVEs affecting Luajit →

Moonjit by Moonjit Project

View all CVEs affecting Moonjit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution leading to complete control of affected systems.

🟠

Likely Case

Memory corruption leading to application crashes, denial of service, or limited code execution within the LuaJIT context.

🟢

If Mitigated

No impact if debug library is disabled or LuaJIT is used in sandboxed environments without untrusted code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to execute Lua code with debug library access. The vulnerability is well-documented in the pull request.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LuaJIT 2.1.0-beta3 and later, Moonjit 2.1.2 and later

Vendor Advisory: https://github.com/LuaJIT/LuaJIT/pull/526

Restart Required: Yes

Instructions:

1. Update LuaJIT to version 2.1.0-beta3 or later. 2. Update Moonjit to version 2.1.2 or later. 3. Recompile and restart all applications using the patched library.

🔧 Temporary Workarounds

Disable debug library

all

Remove or disable the debug library to prevent exploitation

Remove debug library from LuaJIT build configuration or disable at runtime

Sandbox Lua execution

all

Run LuaJIT in restricted environments without debug capabilities

Use Lua sandboxing libraries or run with minimal privileges

🧯 If You Can't Patch

  • Disable debug library functionality completely
  • Implement strict input validation and sandboxing for all Lua code execution

🔍 How to Verify

Check if Vulnerable:

Check LuaJIT version with 'luajit -v' and verify it's 2.0.5 or earlier, or check Moonjit version

Check Version:

luajit -v

Verify Fix Applied:

Verify version is LuaJIT 2.1.0-beta3+ or Moonjit 2.1.2+ and test debug.getinfo functionality

📡 Detection & Monitoring

Log Indicators:

  • Unexpected memory access errors
  • Debug library usage in production environments
  • Application crashes with memory corruption

Network Indicators:

  • Unusual Lua script execution patterns
  • Exploitation attempts targeting debug functions

SIEM Query:

process:luajit AND (event:crash OR memory_access_violation)

📊 Metadata

CVE ID: CVE-2019-19391
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-843
Published: November 29, 2019
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19391, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2016-1000005 9.8

This CVE involves a type confusion vulnerability in HHVM's mcrypt_get_block_size function where the ...

Same vulnerability type (CWE-843)