CVE-2025-59336
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-09-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lumen | luanox | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59336 is a relative path traversal vulnerability in the Lua package 'luanox' prior to version 0.1.1. The vulnerability occurs because the rockspec verification system does not properly filter package names containing sequences like '../../package'. This allows an attacker to upload files to arbitrary relative paths, potentially overwriting Phoenix runtime files. If exploited carefully, this can cause the website to crash, resulting in a denial of service. [2]
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service by allowing an attacker to overwrite Phoenix runtime files, causing the website to crash. However, the impact is considered relatively low because only Lua files are allowed for upload, the site does not store Lua scripts that could be hijacked for arbitrary code execution, and overwriting other rockspec files is prevented by filename integrity checks. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts to upload Lua packages with malicious package names containing relative path traversal sequences like "../../". Monitoring logs for such suspicious package names or file upload attempts can help. Since the vulnerability is related to improper filtering of package names in the rockspec verification system, you can search for files or requests containing patterns like ".." or "../" in package names or paths. For example, on a system storing uploaded packages, you could run commands like: `grep -r '\.\./' /path/to/uploaded/packages` to find any files or logs containing directory traversal sequences. Additionally, network monitoring tools could be configured to alert on HTTP requests containing such patterns in package upload parameters. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the LuaNox package to version 0.1.1 or later, where the vulnerability is fixed. The fix includes strict validation of package names to allow only alphanumeric characters, underscores, hyphens, and spaces, preventing directory traversal sequences. If upgrading is not immediately possible, you should implement input validation on package names to reject any containing ".." or other path traversal characters, and restrict uploads to safe directories. Monitoring and blocking suspicious upload attempts can also help reduce risk until the patch is applied. [1, 2, 3]