CVE-2024-25178
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| luajit | luajit | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-25178 is a critical memory corruption vulnerability in LuaJIT versions up to 2.1. It occurs due to improper handling of the stack overflow condition, specifically in the garbage collector sweep phase and the stack-overflow handler in lj_state.c. The vulnerability involves a global buffer overflow caused by incorrect traversal and freeing of garbage-collected objects, leading to out-of-bounds reads. This flaw can result in arbitrary code execution or denial of service. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to denial of service (DoS) by crashing the LuaJIT process or potentially allow an attacker to execute arbitrary code due to memory corruption. The improper handling of stack overflow and garbage collection can cause the program to behave unpredictably or be exploited to compromise system security. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or abnormal behavior in LuaJIT processes, especially during garbage collection or stack overflow conditions. Using AddressSanitizer (ASAN) instrumentation during fuzz testing or runtime can help detect the global buffer overflow in the gc_sweep function. There are no specific network detection commands provided. For system-level detection, running LuaJIT with ASAN enabled or fuzzing tools targeting the garbage collector and stack overflow handling code can reveal the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating LuaJIT to a version that includes the patch from commit defe61a56751a0db5f00ff3ab7b8f45436ba74c8, which reworks stack overflow handling to prevent this vulnerability. If updating is not immediately possible, avoid running untrusted Lua code that could trigger stack overflows, and consider applying runtime protections such as ASAN to detect memory corruption. Monitoring and limiting stack growth requests can also help reduce risk. [2]