CVE-2024-25176
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| luajit | luajit | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-25176 is a stack-buffer-overflow vulnerability in LuaJIT versions up to 2.1, specifically in the function lj_strfmt_wfnum within the source file lj_strfmt_num.c. This flaw occurs due to improper handling of data during number formatting, allowing an attacker to overflow a buffer on the stack. Exploiting this vulnerability can lead to memory leaks or cause the application to crash (denial of service). [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to cause a denial of service (application crash) or leak sensitive information from memory. Such impacts can disrupt service availability and potentially expose confidential data handled by the LuaJIT application. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stack-buffer-overflow in LuaJIT's lj_strfmt_wfnum function. Detection would involve identifying if your system is running LuaJIT version 2.1 or earlier. Since the vulnerability relates to number formatting with the `%g` specifier, you could test LuaJIT behavior by running Lua scripts that format numbers using `%g` and observe for crashes or abnormal behavior. There are no specific network detection commands provided. To check LuaJIT version, you can run: `luajit -v`. For testing the vulnerability, you might run a Lua script that triggers number formatting with `%g` and monitor for crashes or memory errors. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to update LuaJIT to a version that includes the fix for CVE-2024-25176. The fix is available in the commit 343ce0edaf3906a62022936175b2f5410024cbfc, which corrects the number formatting function to prevent the stack-buffer-overflow. If updating is not immediately possible, avoid using the `%g` specifier in number formatting within LuaJIT to reduce risk of triggering the vulnerability. [2]