CVE-2024-8763 – A Regular Expression Denial of Service (ReDoS) ... (How to Fix)

Q: What is the severity of CVE-2024-8763?

CVE-2024-8763 has a CVSS score of 7.5 (HIGH). A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to cause indefinite server hangs by sending specially crafted input with excessive braces. This affects systems running the vulnerable version of the lunary repository, potentially making web services unresponsive to legitimate requests.

📋 TL;DR

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to cause indefinite server hangs by sending specially crafted input with excessive braces. This affects systems running the vulnerable version of the lunary repository, potentially making web services unresponsive to legitimate requests.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: git commit be54057 and earlier versions using the vulnerable compileTextTemplate function

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment using the vulnerable version with the compileTextTemplate function exposed to user input is affected.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage where the server becomes completely unresponsive, requiring manual restart and causing extended downtime.

🟠

Likely Case

Temporary service degradation or denial of service affecting specific endpoints that process the vulnerable template function.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending malicious input to endpoints using the compileTextTemplate function. The vulnerability is documented in public bug bounty reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 7ff89b0304d191534b924cf063f3648206d497fa

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa

Restart Required: No

Instructions:

1. Update to the latest lunary-ai/lunary repository version. 2. Ensure you're using commit 7ff89b0304d191534b924cf063f3648206d497fa or later. 3. Verify the compileTextTemplate function has been patched.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject inputs with excessive braces or nested patterns that could trigger ReDoS.

Rate Limiting

all

Apply rate limiting to endpoints using the compileTextTemplate function to prevent mass exploitation attempts.

🧯 If You Can't Patch

Implement WAF rules to block requests with patterns containing excessive braces or nested {{}} sequences.
Monitor server performance metrics and set alerts for abnormal CPU usage or response time spikes on affected endpoints.

🔍 How to Verify

Check if Vulnerable:

Check if your lunary repository version is at commit be54057 or earlier. Review code for the compileTextTemplate function using the vulnerable regex pattern /{{(.*?)}}/g.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify the repository uses commit 7ff89b0304d191534b924cf063f3648206d497fa or later. Test with sample inputs containing nested braces to ensure no performance degradation.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for template compilation requests
High CPU usage spikes correlated with specific request patterns
Requests with excessive braces in payloads

Network Indicators:

Repeated requests to template endpoints with similar payload patterns
Abnormal request sizes containing many brace characters

SIEM Query:

source="web_logs" AND (uri="*template*" OR uri="*compile*") AND (payload="*{{*" OR payload="*}}*") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-8763

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

EPSS Score: 0.13% exploit probability (31.9th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa Patch
https://huntr.com/bounties/4fb63a6e-0056-4550-a34d-e161de1c13b8 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8763, you might also want to check these: