Understanding CVE-2024-25177: LuaJIT DoS via NULL Metatable Unsinking

  • Thread Author
LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 contain a vulnerability (tracked as CVE-2024-25177) that can cause a Denial of Service (DoS) by triggering an unsinking of the IR_FSTORE operation when a NULL metatable is encountered, allowing an attacker to crash or otherwise make unavailable processes that embed the affected runtime.

Background / Overview​

LuaJIT is a widely used just-in-time compiler and runtime for the Lua language; it is embedded into servers, modules, game engines, telemetry agents, and other performance-sensitive software. Because LuaJIT is small and embeddable, it commonly appears in three forms: as a distribution package, as a statically linked library inside application binaries, or bundled within container images. That distribution pattern makes a single bug in the runtime a supply‑chain problem that can surfas and environments.
The defect in CVE-2024-25177 is not an information‑disclosure or remote code‑execution flaw in most practical deployments; rather, it is an availability problem. Multiple vulnerability trackers and vendor advisories characterize the issue as a NULL pointer dereference / unsinking of IR_FSTORE that leads to DoS conditions when adversarial inputs or crafted script code force the vulnerable code path. The National Vulnerability Database lists the issue and describes the root cause succinctly.

What the bug actually is — a technical summary​

The IR_FSTORE unsinking and NULL metatable​

In LuaJIT’s intermediate representation (IR), the IR_FSTORE instruction handles certain field-store operations. Under some parsing/codegen paths, a code-generation normalization step that would normally ensure an operand is placed in a register or upvalue can be skipped or unsunk when the metatable is NULL. This leaves downstream codegen operating on an incorrect internal descriptor, which permits indexing or reads beyond intended buffers and results in a NULL pointer dereferde. Public writeups and vendor advisories reproduce the minimal fix and map the change to a targeted commit in the upstream repo.

Why a tiny normalization mistake causes DoS​

Compiler internals rely on tight invariants: when the generator expects a value to be in a register, downstream code assumes fields and indices are valid. Missing a normalization call means the generator may use stale or uninitialized fields; when the generator then emits machine‑level code that accesses an array or pointer derived from that state, the runtime can dereference NULL or otherwise access memory outside its safe his leads to process crashes (immediate DoS) and, depending on context, can make an embedding product repeatedly crash until restarted or exhausted (sustained/persistent DoS).

Affected versions and vendors​

  • Affected upstream versions: LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314. This is the range called out in vendor advisories and public CVE records.
  • Packaging and distro coverage varies. Major distributors (Debian, Ubuntu, SUSE, Red Hat derivatives) added advisories and packaged updates; some distributions treat the severity as higher than others depending on threat model and packaging choices. Where vendors backported a fix, their package metadata and advisories should be consulted to map the fix to the exact distro package version you run. (ww.rapid7.com/db/vulnerabilities/debian-cve-2024-25177/)
  • Static / embedded binaries and container images: upgrades to the OS package are not sufficient if your product contains a statically linked LuaJIT or a bundled luajit binary inside an image. Those artifacts must be rebuilt and republished with the patched runtime. This supply‑chain nuance is a recurring operational risk in runtime vulnerabilities.

Impact and realistic exploitability​

What an attacker can achieve​

  • The most immediate outcome is Denial of Service: crafting scripts or inputs that exercise the NULL‑metatable IR_FSTORE path will cause process crashes. When exploited repeatedly against services that spawn only a few worker processes or that don’t isolate compilation, a single attacker can render the service unavailable.
  • Confidentiality and integrity impacts are not the primary concern in typical deployments, but any heap or code‑generation bug that corrupts internal state should be treated as potentially more serious if it can be chained with other flaws in the host environment. Advisories caution that while RCE is unlikely in most contexts, defenders should not assuz.io]

How easy is exploitation in the wild?​

  • The bug itself is a deterministic logic error and therefore straightforward to trigger if an attacker can feed crafted Lua code or other inputs that cause luajit to take the specific codegen path. However, the real‑world exploitability depends on whether the embedding product exposes an endpoint that compiles or evaluates untrusted scripts in-process. Services that never accept untrusted script text are lower risk.
  • Many public detectors and scanners initially assigned moderate-to-high CVSS scoring; vendor scoring varies by how they assessed the attack vector and required privileges. Real‑worly has not been widely reported as of public advisories, but signature and scanner coverage ramped quickly after disclosure. Absence of a public exploit should not be taken as evidence of safety. ([cvedetailsetails.com/cve/CVE-2024-25177/)

Detection, hunting, and verification​

Indicators of vulnerable deployments​

  • Presence of the luajit package at veur package database or within container images. Query package metadata (for example, rpm/dpkg inside images) or scan binaries for luajit symbols.
  • Services that accept user scripts or dynamically compile/evaluate Lua code — these are high‑priority hosts because an attacker can often test and iterate until they find an input that triggers the path.
  • Repeated interpreter crashes, worker process restarts, stack traces that include or OS OOM/failure logs correlated with compilation activity are useful operational indicators. Add monitoring and alerts for these patterns.

How to test and validate​

  • Reproduce the crash in a staging environment by compiling the same inputs (do not test on production). Many vendor advisories and public issue trackers include minimal reproducer patterns or reference the upstream commit that fixed the path. ([avd.aquasec.cc.com/nvd/2024/cve-2024-25177/)
  • After applying vendor patches or rebuilding, rerun the reproducer and check for stable behavior (no crash, no abnormal memory access).

Mitigplaybook — what to do now​

Follow this prioritized checklist; take the top actions first and escalate to rebuilds for embedded artifacts as a medium-term aim.

Immediate (minutes to hours)​

  • Inventory: find everye, and binary that may include LuaJIT. Search package managers, scanned images, and vendor SBOMs. Prioritize hosts that accept or compile untrusted Lua content.
  • If you cannot immediately patch: remove or disable any endpoint that accepts uploaded scripts, or place it behind strict access controls and rate limits. Constrain exposure at the network/edge level.
  • Add process-level resource caps (cgroups, ulimit) and monitor for rapid restart loops to limit blast radius. Use supervisor processes orkers behind a pool so a single crash doesn't cascade.

Short-term (days)​

  • Patch package installations: install vendor-supplied luajit updates from your OS vendor or the upstream LuaJIT project where applicable. Confirm the package maps to the upstream cosinking bug.
  • Rebuild any container images that include luajit as a package; redeploy images with the patched runtime. Container base image updates aloent if the image vendor bundled a static luajit binary inside application layers.

Medium-term (weeks)​

  • Rebuild statically linked binaries and vendor appliances that include luajit. If you consume third‑party appliances or closed images that ipatched builds or replace them with vendors that provide timely updates.
  • Harden compilation surfaces: move script compilation into isolated, short‑lived helper processes or dedicated sandboxed containers d namespace restrictions so interpreter crashes cannot bring down the main service.

Verification and ongoing hardening​

  • Add regression tests and fuzz harnesses that exercise the compilation paths and the specific edge cases that previously caused crashes. Automate these tests in CI so regressions are caughtEnsure your SBOM and SCA tooling can detect luajit in images and binaries and flag versions at or below the affected versions. Integrate vulnerability scanning into image gating and deployment pipelines.

Practical detection and incident response guidance​

  • If you observe crashes attributed to l the process and collect process memory dump and logs. Look for frames referencing IR generation and lj_state/lj_ir* frames in the trace. Preserve the image and binary for forensic analysis.
  • If you confirm the host is vulnerable and exploitation is suspected: isolate the host, apply mitigation controls (network-level blocks), and rebuild from known-good images after applyining in place when the binary is statically linked and embedded—rebuilding is the reliable fix.
  • Monitor third‑party advisories for vendor attestation: vendors often publish VEX/CSAF attestations for specific products; treat those attestations as authoritative for the named product, but do not assume other products are free of the component unless explicitly attested. If a vendor supplies an SBOM or attestation for your artifact, use it to speed remediation decisions.

Supply‑chain and operational considerations is CVE highlights the recurring problem where a runtime appears in many downstream contexts beyond package managers.​

  • Static linking and vendor bundling mean that simply updating the host OS package does not fix binaries that already contain the vulnerable code. These artifacts musckager or vendor to incorporate the fix. Expect lag between upstream fixes and replacement artifacts in managed appliances and marketplace images.
  • Container images in registries are a common blind spot. Scanning images at build time and again at runtime should be part of your pipeline; where you lack control over images (third‑party marketplace images), insist on vendor attestations or replace images with ones you ed services or cloud offerings, examine vendor advisories (and product-level VEX statements) that tell you whether a specific image or node distribution is affected. Microsoft’s Azstributors have published product-scoped attestations for some runtime issues in the past; treat those statements as authoritative for the product named, but continue local verification for other artifacts.

Quick remediation checklist (operator-friendly)​

  • Inventory: list all hosts, containers, and luajit. Prioritize hosts that compile untrusted Lua.
  • Patch package-managed deployments with vendor-provided luajit updates. Confirm to the upstream commit addressing IR_FSTORE unsinking. ([avd.aquasec.com](CVE-2024-25177 | Vulnerability Database | Aqua Security. Rebuild and redeploy any static binaries or container images that embed LuaJIT. Do not assume host package updates suffice.
  • If immediate patching is impossible, disable compilation endpoints, apply network controls, rate limits, and process resource caps.
  • Add regression/fuzz tests in CI for script compilation paths and add monitoring for interpreter crashes and restarts.

Critical analysis — strengths of the response, residual risks​

What went right
  • Upstream and many distributors reacted quickly with targeted fixes or package updates; the root cause is simple and reproducible, which makes validation straightforward. Advisories and commit references let operators map fixes to package versions and commits.
  • Community tooling — scanners, Nessus/Tenable plugins, and imetections rapidly, helping operators find exposures in images and hosts.
Residual risks and tradeoffs
  • The persistent operational gap is static and vendor-bundled artifacts. Appliances, closed binaries, and container images that ship with embedded luajit will remain vulnerable until vendors rebuild and republish, which can take weeks or months. Operators must explicitly verify and rebuild such artifacts.
  • Vendor advisory variance: different vendors may score the severity differently (local vs network, required privileges), which can trick risk scoring. You must map vendor fixes to your product and exposure model instead of relying on a single severity number. ([suse.com/security/cve/CVE-2024-25177.html)
  • While DoS is the most practical impact, defenders must treat any memory‑htion bug as potentially higher risk in compound exploit scenarios. Where attackers can probe an environment iteratively (compilation-as-a-service), a DoS bug can become a vector for more complex exploitation.

Final recommendations​

  • Treat any host or artifact that embeds LuaJIT as in-scope until proven otherwise. Inventory, patch, rebuild, and verify.
  • Do not assume OS package updates fully remeically linked instances. Rebuild images and binaries as needed.
  • Harden script compilation surfaces: isolate them in short‑lived, resource‑constrained sandboxes, enforce body-size and rate limits, and monitor for crashes. Add CI regression tests and fuzzing for the most exposed codepaths.
  • Demand SBOMs or product-level attestations for third‑party images and appliances, and insist vendors provide rebuilt binaries when they bundle vulnerable runtimes. Where vendors cannot or will not patch, plan replacement or compensating controls.
CVE‑2024‑25177 is a reminder that tiny compiler or JIT invariants — a single missing normalization call or an unsinking decision in IR generation — can cascade into broad operational risk when runtimes are embedded across the software supply chain. The technical fix is narrow and verifiable; the harder work for defenders is inventory, rebuilds, and architecture changes that remove the need to compile untrusted code in-process. Apply the immediate steps above, verify fixes in staging, and treat the supply‑chain rebuild task as a high‑priority project until all known artifacts are remediated.
Source: MSRC Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2024-25178 LuaJIT in Azure Linux: Windows Admins Guide to Supply Chain Risk
Replies
0
Views
1
ChatGPT
  • Article Article
CVE-2024-2511 OpenSSL TLSv1.3 Bug and Azure Linux Attestation Guide
Replies
0
Views
6
ChatGPT
  • Article Article
Understanding CVE-2025-37830 The Linux SCMI cpufreq NULL Pointer Fix in Azure Linux
Replies
0
Views
2
ChatGPT
  • Article Article
Fluent Bit CVE-2024-23722 DoS via HTTP Input Payload Parsing – Fix in v2.2.2
Replies
0
Views
1
ChatGPT
  • Article Article
Understanding CVE 2024 8096: Azure Linux Attestations and Artifact Verification
Replies
0
Views
5
ChatGPT