CVE-2025-59336
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59336
EUVD
EUVD-2025-29636
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lumen luanox *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59336 is a relative path traversal vulnerability in the Lua package 'luanox' prior to version 0.1.1. The vulnerability occurs because the rockspec verification system does not properly filter package names containing sequences like '../../package'. This allows an attacker to upload files to arbitrary relative paths, potentially overwriting Phoenix runtime files. If exploited carefully, this can cause the website to crash, resulting in a denial of service. [2]

Impact Analysis

This vulnerability can lead to a denial of service by allowing an attacker to overwrite Phoenix runtime files, causing the website to crash. However, the impact is considered relatively low because only Lua files are allowed for upload, the site does not store Lua scripts that could be hijacked for arbitrary code execution, and overwriting other rockspec files is prevented by filename integrity checks. [2]

Detection Guidance

Detection of this vulnerability involves identifying attempts to upload Lua packages with malicious package names containing relative path traversal sequences like "../../". Monitoring logs for such suspicious package names or file upload attempts can help. Since the vulnerability is related to improper filtering of package names in the rockspec verification system, you can search for files or requests containing patterns like ".." or "../" in package names or paths. For example, on a system storing uploaded packages, you could run commands like: `grep -r '\.\./' /path/to/uploaded/packages` to find any files or logs containing directory traversal sequences. Additionally, network monitoring tools could be configured to alert on HTTP requests containing such patterns in package upload parameters. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the LuaNox package to version 0.1.1 or later, where the vulnerability is fixed. The fix includes strict validation of package names to allow only alphanumeric characters, underscores, hyphens, and spaces, preventing directory traversal sequences. If upgrading is not immediately possible, you should implement input validation on package names to reject any containing ".." or other path traversal characters, and restrict uploads to safe directories. Monitoring and blocking suspicious upload attempts can also help reduce risk until the patch is applied. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart