CVE-2024-8764 – This vulnerability in lunary-ai/lunary allows a... (How to Fix)

📋 TL;DR

This vulnerability in lunary-ai/lunary allows authenticated users to upload and execute arbitrary regular expressions on the server, potentially causing excessive resource consumption and Denial of Service. The vulnerability affects all deployments running vulnerable versions of the lunary-ai/lunary software.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: All versions up to and including commit be54057

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit the regex upload functionality.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability due to resource exhaustion from malicious regex patterns, preventing legitimate users from accessing the service.

🟠

Likely Case

Degraded performance and intermittent service disruptions as attackers test regex patterns that consume CPU/memory resources.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of regex patterns that cause excessive backtracking or resource consumption.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 7ff89b0304d191534b924cf063f3648206d497fa and later

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa

Restart Required: No

Instructions:

1. Update to latest lunary-ai/lunary version
2. Apply commit 7ff89b0304d191534b924cf063f3648206d497fa
3. Verify regex input validation is properly implemented

🔧 Temporary Workarounds

Regex Input Validation

all

Implement server-side validation to restrict regex patterns and limit complexity

Resource Limiting

all

Configure timeouts and resource limits for regex processing operations

🧯 If You Can't Patch

Disable regex upload functionality entirely
Implement strict authentication and rate limiting on regex endpoints

🔍 How to Verify

Check if Vulnerable:

Check if running version includes commit be54057 or earlier

Check Version:

git log --oneline | head -20

Verify Fix Applied:

Verify installation includes commit 7ff89b0304d191534b924cf063f3648206d497fa

📡 Detection & Monitoring

Log Indicators:

Unusually long regex patterns in upload logs
High CPU/memory usage spikes from regex processing

Network Indicators:

Multiple regex upload requests from single user
Large regex payloads in POST requests

SIEM Query:

source="lunary" AND (regex_upload OR pattern_upload) AND size>1000

📊 Metadata

CVE ID: CVE-2024-8764

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

EPSS Score: 0.13% exploit probability (31.9th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa Patch
https://huntr.com/bounties/088c04a1-d23a-47f2-9d7c-b84d7332868d Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8764, you might also want to check these: