CVE-2024-25176 Overview
CVE-2024-25176 is a stack buffer overflow vulnerability affecting LuaJIT through version 2.1 and OpenResty luajit2 before version v2.1-20240626. The vulnerability exists in the lj_strfmt_wfnum function within lj_strfmt_num.c, which handles number formatting operations. This memory corruption flaw can be triggered through maliciously crafted input during string formatting operations, potentially leading to arbitrary code execution or system compromise.
Critical Impact
This stack buffer overflow vulnerability enables network-based attacks without authentication or user interaction, potentially allowing complete system compromise through arbitrary code execution.
Affected Products
- LuaJIT through version 2.1
- OpenResty luajit2 before v2.1-20240626
- Applications and services embedding vulnerable LuaJIT versions
Discovery Timeline
- 2025-07-07 - CVE-2024-25176 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-25176
Vulnerability Analysis
The vulnerability resides in the lj_strfmt_wfnum function responsible for formatting floating-point numbers during string operations. The flaw occurs in the zero stripping logic used by the %g number formatting specifier. When processing certain numeric values, the code fails to properly bound-check the ndlo index variable before using it to access the nd array buffer. This allows an attacker to craft input that causes the index to exceed the array bounds, resulting in a stack buffer overflow condition.
The vulnerability can be exploited remotely through any application that processes untrusted Lua scripts or passes untrusted data to string formatting functions. Since LuaJIT is commonly embedded in web servers (like OpenResty/nginx), game engines, and other network-facing applications, the attack surface is significant.
Root Cause
The root cause is an improper array index increment in the lj_strfmt_wfnum function. The original code used nd[++ndlo] to increment and access the next element in the digit array during zero stripping. This pre-increment operation could cause ndlo to exceed the valid array bounds when certain numeric patterns are processed. The fix applies a bitmask (& 0x3f) to constrain the index to valid array bounds before accessing the buffer.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. Attackers can trigger the overflow by:
- Submitting maliciously crafted numeric values to applications using LuaJIT's string formatting functions
- Exploiting web applications built on OpenResty that process user-controlled numeric input
- Targeting any service that evaluates untrusted Lua scripts using vulnerable LuaJIT versions
// Security patch demonstrating the fix
// Source: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc
prec--;
if (!i) {
if (ndlo == ndhi) { prec = 0; break; }
- lj_strfmt_wuint9(tail, nd[++ndlo]);
+ ndlo = (ndlo + 1) & 0x3f;
+ lj_strfmt_wuint9(tail, nd[ndlo]);
i = 9;
}
}
The patch replaces the unbounded pre-increment ++ndlo with a bounded operation (ndlo + 1) & 0x3f, ensuring the index never exceeds 63 (0x3f), which prevents the buffer overflow.
Detection Methods for CVE-2024-25176
Indicators of Compromise
- Unexpected crashes or segmentation faults in LuaJIT-based applications during string formatting operations
- Abnormal memory access patterns or stack corruption indicators in application logs
- Evidence of exploitation attempts through malformed numeric values in web request logs
- Core dumps showing corruption in lj_strfmt_num.c related stack frames
Detection Strategies
- Deploy memory safety monitoring tools to detect stack buffer overflow attempts in LuaJIT processes
- Implement application-level logging for string formatting operations with anomalous numeric inputs
- Use SentinelOne's behavioral AI to detect exploitation attempts targeting memory corruption vulnerabilities
- Monitor for unusual process behavior in applications using LuaJIT, including unexpected memory allocation patterns
Monitoring Recommendations
- Enable AddressSanitizer (ASan) in development and staging environments to detect memory corruption
- Configure SentinelOne Singularity to monitor LuaJIT-based applications for exploitation indicators
- Implement network-level monitoring for requests containing unusually formatted numeric values
- Review application logs for patterns consistent with fuzzing or exploitation attempts against formatting functions
How to Mitigate CVE-2024-25176
Immediate Actions Required
- Update LuaJIT to a version containing commit 343ce0edaf3906a62022936175b2f5410024cbfc or later
- Update OpenResty luajit2 to version v2.1-20240626 or later
- Identify all applications in your environment using LuaJIT and prioritize patching based on network exposure
- Apply vendor patches from Debian LTS or other distribution-specific security updates
Patch Information
The vulnerability has been addressed through official commits to both LuaJIT and OpenResty luajit2 repositories. The fix modifies the index increment operation in lj_strfmt_wfnum to apply proper bounds checking using a bitmask operation. Organizations should apply the patch from the LuaJIT GitHub Commit or update to patched distribution packages. Debian users can refer to the Debian LTS Announcement for package updates.
Workarounds
- Restrict network access to LuaJIT-based applications until patching is complete
- Implement input validation to sanitize numeric values before passing them to string formatting functions
- Deploy web application firewall rules to filter potentially malicious numeric input patterns
- Isolate LuaJIT processes using containerization or sandboxing to limit impact of potential exploitation
# Configuration example: Verify LuaJIT version and check for vulnerability
# Check current LuaJIT version
luajit -v
# Verify if the patch commit is present in your installation
# The fix should include the bounded index operation: (ndlo + 1) & 0x3f
grep -r "0x3f" /usr/local/share/luajit*/lj_strfmt_num.c 2>/dev/null || echo "Check source installation"
# For OpenResty installations, verify luajit2 version
# Ensure version is v2.1-20240626 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
