CVE-2024-25176 in LuaJIT
Summary
by MITRE • 07/07/2025
LuaJIT through 2.1 has a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/25/2025
The vulnerability CVE-2024-25176 represents a critical stack-based buffer overflow in LuaJIT version 2.1 and earlier, specifically within the lj_strfmt_wfnum function located in the lj_strfmt_num.c source file. This flaw occurs during the formatting of numeric values when LuaJIT processes floating-point numbers, creating a condition where malicious input can cause the program to write beyond the bounds of allocated stack memory. The vulnerability arises from insufficient bounds checking in the string formatting routine that handles wide character number formatting operations, making it particularly dangerous in environments where untrusted input is processed through LuaJIT's numeric formatting capabilities.
The technical implementation of this vulnerability stems from the improper handling of buffer boundaries when converting floating-point numbers to string representations in wide character contexts. The lj_strfmt_wfnum function fails to validate the required buffer size before writing formatted numeric data to the stack, allowing attackers to craft input that triggers memory corruption. This type of flaw falls under CWE-121 Stack-based Buffer Overflow, which specifically addresses buffer overflows occurring in stack memory regions where the buffer size is insufficient to contain the data being written. The vulnerability is particularly concerning because it can be exploited through crafted numeric inputs that leverage the string formatting functionality commonly used in web applications, APIs, and scripting environments that rely on LuaJIT for processing.
Operational impact of CVE-2024-25176 extends beyond simple memory corruption, as it provides potential for remote code execution in vulnerable environments where LuaJIT is used to process untrusted input. Attackers can leverage this vulnerability to manipulate program execution flow through stack corruption, potentially leading to arbitrary code execution or denial of service conditions. The vulnerability affects systems where LuaJIT is integrated into web applications, game engines, embedded systems, or any application that processes numeric data through the affected string formatting functions. Given that LuaJIT is commonly used in high-performance computing environments, the potential for widespread impact increases significantly, particularly in server-side applications and network services that handle numeric input from external sources.
Mitigation strategies for CVE-2024-25176 primarily focus on immediate remediation through version updates to LuaJIT 2.1.0-15 or later, which contain the necessary patches addressing the buffer overflow condition. Organizations should implement input validation and sanitization measures to reduce exposure, particularly for applications that process numeric data from untrusted sources. The mitigation approach aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: Lua, where adversaries may exploit scripting language vulnerabilities to gain system access. Additionally, runtime protections such as stack canaries, address space layout randomization, and control flow integrity checks can provide additional defense layers. Security monitoring should focus on detecting unusual numeric input patterns and potential exploitation attempts targeting string formatting functions, while application developers should review code for proper buffer size validation and implement defensive programming practices to prevent similar issues in custom implementations.