{"id":"CVE-2024-25177","details":"LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS).","modified":"2026-03-11T07:54:33.268914312Z","published":"2025-07-07T17:15:27.403Z","related":["CGA-qmfj-c9jj-4743","SUSE-SU-2025:02886-1","SUSE-SU-2025:03378-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00022.html"},{"type":"ADVISORY","url":"https://gist.github.com/pwnhacker0x18/a73f560d79f2c3d4011d6c5a2676f04a"},{"type":"REPORT","url":"https://github.com/LuaJIT/LuaJIT/issues/1147"},{"type":"FIX","url":"https://github.com/LuaJIT/LuaJIT/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f"},{"type":"FIX","url":"https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f"},{"type":"EVIDENCE","url":"https://github.com/LuaJIT/LuaJIT/issues/1147"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/luajit/luajit","events":[{"introduced":"0"},{"fixed":"85b4fed0b0353dd78c8c875c2f562d522a2b310f"}]}],"versions":["v2.0.0","v2.0.0-beta1","v2.0.0-beta10","v2.0.0-beta11","v2.0.0-beta2","v2.0.0-beta2-hotfix2","v2.0.0-beta3","v2.0.0-beta4","v2.0.0-beta5","v2.0.0-beta6","v2.0.0-beta7","v2.0.0-beta8","v2.0.0-beta8-fixed","v2.0.0-beta9","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.1","v2.0.1-fixed","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.ROLLING"],"database_specific":{"vanir_signatures":[{"digest":{"function_hash":"203087968805785380088111885039723137363","length":570},"id":"CVE-2024-25177-0b21938c","target":{"function":"snap_replay_const","file":"src/lj_snap.c"},"source":"https://github.com/luajit/luajit/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f","signature_type":"Function","signature_version":"v1","deprecated":false},{"digest":{"function_hash":"34102034867156844221458460469079786892","length":3580},"id":"CVE-2024-25177-3c7a3aa2","source":"https://github.com/luajit/luajit/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f","signature_version":"v1","signature_type":"Function","target":{"function":"snap_unsink","file":"src/lj_snap.c"},"deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["328851366615205159600879125988537784760","187708736421711303964457164439587907200","207873470814917637525689825456575210292","327582682703369524527697500124813874868","97083308229016597306128497472693802223","95806262639384273180919947489632886570","130085288147700083953557008386072178626","58043924142223039666946178628332009909","271509107339337137925848792752905808826"]},"id":"CVE-2024-25177-7a4eb3ab","source":"https://github.com/luajit/luajit/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f","signature_version":"v1","signature_type":"Line","target":{"file":"src/lj_snap.c"},"deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25177.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/openresty/luajit2","events":[{"introduced":"0"},{"fixed":"85b4fed0b0353dd78c8c875c2f562d522a2b310f"}]}],"versions":["v2.0.0","v2.0.0-beta1","v2.0.0-beta10","v2.0.0-beta11","v2.0.0-beta2","v2.0.0-beta2-hotfix2","v2.0.0-beta3","v2.0.0-beta4","v2.0.0-beta5","v2.0.0-beta6","v2.0.0-beta7","v2.0.0-beta8","v2.0.0-beta8-fixed","v2.0.0-beta9","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.1","v2.0.1-fixed","v2.0.2","v2.0.3","v2.0.4","v2.0.5"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["328851366615205159600879125988537784760","187708736421711303964457164439587907200","207873470814917637525689825456575210292","327582682703369524527697500124813874868","97083308229016597306128497472693802223","95806262639384273180919947489632886570","130085288147700083953557008386072178626","58043924142223039666946178628332009909","271509107339337137925848792752905808826"]},"id":"CVE-2024-25177-393b0fe7","target":{"file":"src/lj_snap.c"},"source":"https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f","signature_type":"Line","signature_version":"v1","deprecated":false},{"digest":{"function_hash":"34102034867156844221458460469079786892","length":3580},"id":"CVE-2024-25177-a9aefc31","source":"https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f","signature_version":"v1","signature_type":"Function","target":{"function":"snap_unsink","file":"src/lj_snap.c"},"deprecated":false},{"digest":{"function_hash":"203087968805785380088111885039723137363","length":570},"id":"CVE-2024-25177-d016918a","target":{"function":"snap_replay_const","file":"src/lj_snap.c"},"source":"https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f","signature_type":"Function","signature_version":"v1","deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25177.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}