Login Sign Up

CVE-2024-25178

9.1 CRITICAL

📋 TL;DR

This vulnerability is an out-of-bounds read in the stack-overflow handler of LuaJIT, which could allow attackers to read sensitive memory contents or potentially lead to remote code execution. It affects LuaJIT through version 2.1 and OpenResty's luajit2 fork before March 14, 2024. Any application using these vulnerable LuaJIT implementations is at risk.

💻 Affected Systems

Products:
  • LuaJIT
  • OpenResty luajit2
Versions: LuaJIT through 2.1, OpenResty luajit2 before v2.1-20240314
Operating Systems: All platforms where LuaJIT runs
Default Config Vulnerable: ⚠️ Yes
Notes: Any application embedding or using these LuaJIT versions is vulnerable by default when processing untrusted Lua code.

📦 What is this software?

Luajit by Luajit

View all CVEs affecting Luajit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or service disruption.

🟠

Likely Case

Information disclosure through memory reads, potential denial of service, or limited code execution depending on exploitation.

🟢

If Mitigated

Limited impact with proper memory protections and exploit mitigations like ASLR and DEP.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof-of-concept available in GitHub references. Exploitation requires ability to execute Lua code in vulnerable context.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LuaJIT commit defe61a56751a0db5f00ff3ab7b8f45436ba74c8 or later

Vendor Advisory: https://github.com/LuaJIT/LuaJIT/issues/1152

Restart Required: Yes

Instructions:

1. Update LuaJIT to commit defe61a56751a0db5f00ff3ab7b8f45436ba74c8 or later. 2. For OpenResty, update luajit2 to v2.1-20240314 or later. 3. Rebuild and restart all affected applications.

🔧 Temporary Workarounds

Disable LuaJIT execution

all

Temporarily disable LuaJIT execution in applications if possible

Application-specific configuration changes required

Sandbox Lua execution

all

Implement strict sandboxing for Lua code execution

Use Lua sandboxing libraries or implement custom restrictions

🧯 If You Can't Patch

  • Implement network segmentation to isolate vulnerable systems
  • Deploy application firewalls to monitor and block suspicious Lua execution patterns

🔍 How to Verify

Check if Vulnerable:

Check LuaJIT version with: luajit -v

Check Version:

luajit -v

Verify Fix Applied:

Verify version shows commit defe61a56751a0db5f00ff3ab7b8f45436ba74c8 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual Lua execution patterns
  • Stack overflow errors in LuaJIT logs
  • Memory access violation logs

Network Indicators:

  • Suspicious Lua code transmission to applications

SIEM Query:

source="*lua*" AND (event="stack_overflow" OR event="memory_access")

📊 Metadata

CVE ID: CVE-2024-25178
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
EPSS Score: 0.12% exploit probability (30.8th percentile)
Published: July 7, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25178, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)