CVE-2024-4148
📋 TL;DR
A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allows attackers to send specially crafted requests that cause catastrophic backtracking in regular expressions, leading to excessive CPU consumption and application crashes. This affects all systems running the vulnerable version of the lunary application, potentially causing complete service disruption.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash and denial of service, rendering the lunary service completely unavailable until manual intervention and restart.
Likely Case
Severe performance degradation with extremely slow response times or temporary service unavailability during attack periods.
If Mitigated
Minimal impact with proper rate limiting, request validation, and updated regular expressions that prevent catastrophic backtracking.
🎯 Exploit Status
The vulnerability requires sending specially crafted requests to trigger the vulnerable regular expressions. Public details are available in the referenced bounty reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 1e8a3d941ba5cfef2c478dd5bac4e4a4b4d67830 and later versions
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/1e8a3d941ba5cfef2c478dd5bac4e4a4b4d67830
Restart Required: Yes
Instructions:
1. Update lunary to the latest version or specifically to a version containing commit 1e8a3d941ba5cfef2c478dd5bac4e4a4b4d67830. 2. Restart the lunary application service. 3. Verify the fix is applied by checking the version.
🔧 Temporary Workarounds
Rate Limiting Implementation
allImplement strict rate limiting on all endpoints to prevent attackers from sending multiple malicious requests.
# Configure rate limiting in your web server or application firewall
# Example for nginx: limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
Input Validation and Sanitization
allAdd input validation to reject suspicious patterns before they reach the vulnerable regular expressions.
# Implement input validation in your application code
# Example: validate input length and character patterns
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block requests with suspicious patterns that could trigger ReDoS.
- Deploy the application behind a reverse proxy with request timeout limits and connection limits.
🔍 How to Verify
Check if Vulnerable:
Check if running lunary version 1.2.10 by examining package version or checking the commit hash against the vulnerable version.Check Version:
Check package.json or run: npm list lunary-ai/lunary (if installed via npm) or check the application's version endpoint if available.Verify Fix Applied:
Verify the application is running a version containing commit 1e8a3d941ba5cfef2c478dd5bac4e4a4b4d67830 or later.📡 Detection & Monitoring
Log Indicators:
- Unusually long request processing times for specific endpoints
- High CPU usage spikes correlated with specific request patterns
- Application crash logs with stack traces involving regular expression processing
Network Indicators:
- Multiple requests with similar patterns causing slow responses
- Unusual request patterns containing complex strings designed to trigger regex backtracking
SIEM Query:
source="application.logs" AND (message="*timeout*" OR message="*CPU*" OR message="*regex*" OR message="*backtrack*") AND dest_app="lunary"