CVE-2024-25177 — NULL Pointer Dereference in Luajit

CWE-476 — NULL Pointer Dereference CWE-125 — Out-of-bounds Read6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 43.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Luajit Debian Luajit Msrc Cbl2 Luajit 2.1.0-27 ON CBL Mariner 2.0

Timeline

PublishedJul 7

Latest updateJul 8

Description

LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶msrcmsrc/cbl2_luajit_2.1.0-27_on_cbl_mariner_2.0

▶debiandebian/luajit< luajit 2.1.0~beta3+git20220320+dfsg-4.1+deb12u1 (bookworm)

▶Debianluajit/luajit< 2.1.0~beta3+dfsg-5.3+deb11u1+3

▶NVDluajit/luajit2.1.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-25177: LuaJIT through 2↗2025-07-07

▶

GHSA

GHSA-f734-p3hx-8cw4: LuaJIT through 2↗2025-07-07

▶

📋Vendor Advisories

Microsoft

LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS).↗2025-07-08

▶

Red Hat

luajit: Out of bounds read in LuaJIT↗2025-07-07

▶

Debian

CVE-2024-25177: luajit - LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking ...↗2024

▶