CVE-2024-4148 Overview
CVE-2024-4148 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting lunary-ai/lunary version 1.2.10. Attackers can exploit poorly constructed regular expression patterns by submitting crafted input that triggers catastrophic backtracking. The resulting CPU exhaustion significantly degrades application response time and can render the service completely non-functional. The vulnerability is remotely exploitable over the network without authentication or user interaction, and falls under [CWE-1333] Inefficient Regular Expression Complexity.
Critical Impact
An unauthenticated remote attacker can crash the Lunary application by sending a single specially crafted HTTP request that triggers catastrophic regex backtracking.
Affected Products
- Lunary AI lunary version 1.2.10
- Self-hosted Lunary deployments running the affected release
- Applications embedding the vulnerable lunary component
Discovery Timeline
- 2024-06-01 - CVE-2024-4148 published to NVD
- 2025-01-30 - Last updated in NVD database
Technical Details for CVE-2024-4148
Vulnerability Analysis
The flaw resides in a regular expression evaluated against attacker-controlled input inside the lunary-ai/lunary request handling path. The pattern contains ambiguous quantifiers that permit exponential backtracking when matched against carefully constructed strings. Each malicious request consumes a worker thread for an extended period, blocking legitimate traffic from being processed. Because Node.js style runtimes execute regex on the single main event loop, even one slow match can stall the entire server. The result is a high-impact availability failure with no impact to confidentiality or integrity.
Root Cause
The root cause is inefficient regular expression complexity [CWE-1333]. The vulnerable pattern uses nested or overlapping quantifiers that the regex engine evaluates with exponential time relative to input length. Lunary does not enforce input length limits or execution timeouts before evaluating the pattern, so an attacker controls both the regex input and the cost of matching.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends an HTTP request containing a specially crafted payload to an endpoint that applies the vulnerable regex. The pattern enters catastrophic backtracking, consuming CPU until the request times out or the process becomes unresponsive. Repeated requests amplify the effect and crash the application. Technical details and the corrective patch are available in the GitHub commit and the Huntr bounty submission.
Detection Methods for CVE-2024-4148
Indicators of Compromise
- Sustained 100% CPU utilization by the lunary Node.js process correlated with inbound HTTP requests.
- Unusually long request durations or worker timeouts in Lunary application logs.
- Repeated requests from a single source containing abnormally long or repetitive character sequences in input fields.
- Application crashes or restarts under the running version 1.2.10.
Detection Strategies
- Monitor application metrics for sudden spikes in event-loop lag or request latency without a corresponding rise in legitimate traffic volume.
- Inspect HTTP request bodies and query parameters for inputs exceeding expected length bounds or containing pathological patterns such as long runs of repeated characters.
- Correlate process-level CPU exhaustion events with web server access logs to identify the triggering endpoint and source IP.
Monitoring Recommendations
- Enable structured logging of request duration and payload size for all Lunary endpoints, then alert on outliers.
- Configure web application firewall rules to flag and rate-limit requests with input lengths beyond defined thresholds.
- Track Node.js process restarts and out-of-memory or timeout signals through your observability platform.
How to Mitigate CVE-2024-4148
Immediate Actions Required
- Upgrade lunary-ai/lunary to a version newer than 1.2.10 that includes the fix from commit 1e8a3d9.
- Place the Lunary application behind a reverse proxy or WAF that enforces request size and timeout limits.
- Restrict network exposure of Lunary instances to trusted networks until the patch is applied.
Patch Information
The vendor fix is published in the upstream repository as commit 1e8a3d941ba5cfef2c478dd5bac4e4a4b4d67830. The commit replaces the vulnerable regular expression with a non-backtracking equivalent and adds input handling that prevents catastrophic matching. Apply the patched release in all production and staging environments running version 1.2.10.
Workarounds
- Enforce strict maximum input length on all fields processed by Lunary, rejecting payloads larger than the documented bounds.
- Run the Lunary process behind a proxy that terminates requests exceeding a fixed CPU or wall-clock budget.
- Deploy WAF signatures that block repetitive character sequences known to trigger ReDoS in the affected endpoint.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
