CVE-2024-25177
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| luajit | luajit | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-25177 is a vulnerability in LuaJIT versions up to 2.1 caused by improper handling of the IR_FSTORE intermediate representation instruction when dealing with NULL metatables. This flaw leads to incorrect processing during JIT compilation and garbage collection, causing crashes such as segmentation faults due to null or invalid metatable dereferences. Essentially, when LuaJIT tries to restore or manipulate tables with NULL metatables, it can trigger a Denial of Service (DoS) by crashing the application. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing Denial of Service (DoS) conditions in applications using vulnerable LuaJIT versions. Specifically, an attacker or malformed input can trigger crashes or segmentation faults during LuaJIT's garbage collection or JIT compilation phases, leading to application instability or downtime. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing LuaJIT versions up to and including 2.1 for crashes or Denial of Service conditions triggered by operations involving tables with NULL metatables. A practical approach is to run LuaJIT with scripts that manipulate tables with NULL metatables or use the provided proof-of-concept code that triggers the segmentation fault during garbage collection. Specific commands would involve executing LuaJIT with such test scripts and monitoring for crashes or abnormal termination. However, no explicit detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update LuaJIT to a version that includes the fix committed in the patch referenced (commit 85b4fed0b0353dd78c8c875c2f562d522a2b310f). This patch corrects the handling of NULL metatables during the unsinking of the IR_FSTORE instruction, preventing the Denial of Service condition. If updating is not immediately possible, avoid running untrusted LuaJIT code that manipulates tables with NULL metatables, and monitor for crashes related to this issue. [2]