{"id":"CVE-2024-25176","details":"LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.","modified":"2026-03-11T07:48:51.910169758Z","published":"2025-07-07T17:15:27.247Z","related":["CGA-fqcg-54rh-wxvf","SUSE-SU-2025:02886-1","SUSE-SU-2025:03378-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00022.html"},{"type":"ADVISORY","url":"https://gist.github.com/pwnhacker0x18/cd75d01fc7c9b6c85c183fbe5353d276"},{"type":"REPORT","url":"https://github.com/LuaJIT/LuaJIT/issues/1149"},{"type":"FIX","url":"https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc"},{"type":"FIX","url":"https://github.com/openresty/luajit2/commit/343ce0edaf3906a62022936175b2f5410024cbfc"},{"type":"EVIDENCE","url":"https://github.com/LuaJIT/LuaJIT/issues/1149"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/luajit/luajit","events":[{"introduced":"0"},{"fixed":"343ce0edaf3906a62022936175b2f5410024cbfc"}]}],"versions":["v2.0.0","v2.0.0-beta1","v2.0.0-beta10","v2.0.0-beta11","v2.0.0-beta2","v2.0.0-beta2-hotfix2","v2.0.0-beta3","v2.0.0-beta4","v2.0.0-beta5","v2.0.0-beta6","v2.0.0-beta7","v2.0.0-beta8","v2.0.0-beta8-fixed","v2.0.0-beta9","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.1","v2.0.1-fixed","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.ROLLING","v2.1.0-beta1","v2.1.0-beta2","v2.1.0-beta3","v2.1.ROLLING"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25176.json","vanir_signatures":[{"signature_type":"Line","source":"https://github.com/luajit/luajit/commit/343ce0edaf3906a62022936175b2f5410024cbfc","id":"CVE-2024-25176-a4706ff3","digest":{"line_hashes":["184377265502471948946011847305557628028","126985615680567155763244816895876325150","256480103875299304460977140873185636357","150376957051957027109142554037398449154"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c"}},{"signature_type":"Function","source":"https://github.com/luajit/luajit/commit/343ce0edaf3906a62022936175b2f5410024cbfc","id":"CVE-2024-25176-e6c324de","digest":{"length":9111,"function_hash":"38540755679721982889331743041600852543"},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c","function":"lj_strfmt_wfnum"}}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/openresty/luajit2","events":[{"introduced":"0"},{"fixed":"343ce0edaf3906a62022936175b2f5410024cbfc"}]}],"versions":["v2.0.0","v2.0.0-beta1","v2.0.0-beta10","v2.0.0-beta11","v2.0.0-beta2","v2.0.0-beta2-hotfix2","v2.0.0-beta3","v2.0.0-beta4","v2.0.0-beta5","v2.0.0-beta6","v2.0.0-beta7","v2.0.0-beta8","v2.0.0-beta8-fixed","v2.0.0-beta9","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.1","v2.0.1-fixed","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0-beta1","v2.1.0-beta2","v2.1.0-beta3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25176.json","vanir_signatures":[{"signature_type":"Line","id":"CVE-2024-25176-19801fc3","source":"https://github.com/openresty/luajit2/commit/343ce0edaf3906a62022936175b2f5410024cbfc","digest":{"line_hashes":["184377265502471948946011847305557628028","126985615680567155763244816895876325150","256480103875299304460977140873185636357","150376957051957027109142554037398449154"],"threshold":0.9},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c"}},{"signature_type":"Function","source":"https://github.com/openresty/luajit2/commit/343ce0edaf3906a62022936175b2f5410024cbfc","id":"CVE-2024-25176-da55b03f","digest":{"length":9111,"function_hash":"38540755679721982889331743041600852543"},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c","function":"lj_strfmt_wfnum"}}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}