CVE-2024-25178 Overview
CVE-2024-25178 is an out-of-bounds read vulnerability affecting LuaJIT through version 2.1 and OpenResty luajit2 before v2.1-20240314. The flaw exists in the stack-overflow handler within lj_state.c, where improper boundary checks can lead to reading memory outside allocated buffers when processing stack overflow conditions.
Critical Impact
This vulnerability can be exploited remotely without authentication to cause information disclosure or denial of service, potentially exposing sensitive memory contents or crashing applications that embed LuaJIT.
Affected Products
- LuaJIT through version 2.1
- OpenResty luajit2 versions prior to v2.1-20240314
- Applications and services embedding vulnerable LuaJIT versions
Discovery Timeline
- 2025-07-07 - CVE-2024-25178 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-25178
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), a memory safety issue that occurs when software reads data from a location that is outside the bounds of the intended buffer. In the context of LuaJIT, this flaw manifests specifically within the stack-overflow handler implementation in lj_state.c.
When LuaJIT encounters a stack overflow condition, the handler attempts to manage the error gracefully. However, due to insufficient boundary validation, the handler can read memory beyond the allocated stack boundaries. This can result in information disclosure if sensitive data resides in adjacent memory regions, or trigger application crashes leading to denial of service.
The network attack vector indicates that this vulnerability can be triggered remotely, potentially through crafted Lua scripts or inputs processed by applications embedding LuaJIT. The absence of required privileges or user interaction makes this vulnerability particularly dangerous for internet-facing services using OpenResty, nginx with Lua modules, or other LuaJIT-embedded applications.
Root Cause
The root cause lies in inadequate bounds checking within the stack-overflow handler in lj_state.c. When the Lua VM detects a stack overflow condition, the error handling code fails to properly validate memory access boundaries before reading stack data. This allows reads to extend beyond the legitimate stack memory region into adjacent memory areas.
The fix, implemented in commit defe61a56751a0db5f00ff3ab7b8f45436ba74c8, addresses this by adding proper boundary validation to ensure all memory reads during stack-overflow handling remain within allocated bounds.
Attack Vector
An attacker can exploit this vulnerability by crafting malicious Lua scripts or inputs designed to trigger stack overflow conditions in a controlled manner. When the vulnerable stack-overflow handler processes these conditions, it may read beyond allocated memory boundaries.
The attack scenario involves:
- Identifying an application using a vulnerable LuaJIT version that processes external Lua input
- Crafting input that triggers deep recursion or stack exhaustion
- Exploiting the out-of-bounds read in the error handler to leak memory contents or crash the application
Technical details and a proof of concept are available in the GitHub Gist PoC and the GitHub Issue Discussion.
Detection Methods for CVE-2024-25178
Indicators of Compromise
- Unexpected crashes or segmentation faults in LuaJIT-embedded applications during Lua script execution
- Abnormal memory access patterns in processes running LuaJIT
- Stack overflow errors followed by application instability or crashes
- Unusual Lua scripts with deeply nested recursive function calls
Detection Strategies
- Monitor for segmentation faults and memory access violations in processes using LuaJIT
- Implement runtime application self-protection (RASP) to detect out-of-bounds memory access attempts
- Use AddressSanitizer (ASan) in development and testing environments to identify out-of-bounds reads
- Review application logs for repeated stack overflow errors that may indicate exploitation attempts
Monitoring Recommendations
- Enable enhanced logging for Lua script execution errors and stack overflow events
- Configure crash reporting to capture and analyze segmentation faults in LuaJIT processes
- Monitor network traffic for suspicious patterns targeting LuaJIT-embedded web services
- Implement application performance monitoring to detect unusual memory consumption or crashes
How to Mitigate CVE-2024-25178
Immediate Actions Required
- Update LuaJIT to the latest version containing commit defe61a56751a0db5f00ff3ab7b8f45436ba74c8
- Update OpenResty luajit2 to version v2.1-20240314 or later
- Review and restrict untrusted Lua script execution in production environments
- Implement input validation for any external data processed by Lua scripts
Patch Information
The vulnerability has been patched in the official LuaJIT repository. The fix is available in commit defe61a56751a0db5f00ff3ab7b8f45436ba74c8. OpenResty has also applied the same fix to their luajit2 fork, available in the OpenResty LuaJIT Commit.
Debian users should refer to the Debian LTS Announcement for distribution-specific patching guidance.
Workarounds
- Limit Lua stack size using LUA_MAXSTACK configuration to reduce stack overflow attack surface
- Implement sandboxing for Lua script execution to contain potential exploitation
- Restrict network access to services processing untrusted Lua scripts
- Use process isolation and containerization to limit the impact of potential memory disclosure
# Configuration example - Limit Lua recursion depth in OpenResty
# Add to nginx.conf http/server block
lua_max_running_timers 256;
lua_max_pending_timers 1024;
# Consider implementing script execution timeouts
lua_socket_read_timeout 5s;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
