CVE-2024-8998 – A Regular Expression Denial of Service (ReDoS) ... (How to Fix)

Q: What is the severity of CVE-2024-8998?

CVE-2024-8998 has a CVSS score of 7.5 (HIGH). A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to submit specially crafted inputs that cause the server to hang for extended periods by exploiting inefficient regex matching. This affects all users running vulnerable versions of the lunary software with the default JavaScript regex engine.

📋 TL;DR

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to submit specially crafted inputs that cause the server to hang for extended periods by exploiting inefficient regex matching. This affects all users running vulnerable versions of the lunary software with the default JavaScript regex engine.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: All versions before 1.4.26

Operating Systems: All platforms running Node.js/JavaScript

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default JavaScript regex engine implementation.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, preventing legitimate users from accessing the application.

🟠

Likely Case

Degraded performance and intermittent service disruptions affecting user experience.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting specific input patterns but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.26

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/f2bfa036caf2c48686474f4560a9c5abcf5f43b7

Restart Required: No

Instructions:

1. Update lunary package to version 1.4.26 or later using npm update lunary. 2. Verify the update completed successfully. 3. Test application functionality.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to limit input length and reject suspicious patterns before regex processing.

Add Rate Limiting

all

Implement request rate limiting to prevent repeated exploitation attempts.

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block suspicious regex patterns
Monitor server CPU usage and set alerts for abnormal spikes

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list lunary to see if version is below 1.4.26

Check Version:

npm list lunary | grep lunary

Verify Fix Applied:

Confirm lunary version is 1.4.26 or higher using npm list lunary

📡 Detection & Monitoring

Log Indicators:

Unusually long request processing times
Repeated requests with similar patterns containing curly braces
High CPU usage alerts

Network Indicators:

Multiple requests with crafted payloads containing { characters
Abnormal request patterns to endpoints processing user input

SIEM Query:

source="application_logs" AND (message="*{*" OR duration>5000ms)

📊 Metadata

CVE ID: CVE-2024-8998

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

EPSS Score: 0.13% exploit probability (31.9th percentile)

Published: March 20, 2025

Last Updated: April 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8998, you might also want to check these: