CVE-2024-25177 in LuaJITinfo

Summary

by MITRE • 07/07/2025

LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/10/2025

CVE-2024-25177 represents a critical vulnerability in LuaJIT versions up to 2.1 that affects the intermediate representation compilation process within the Just-In-Time compiler. This vulnerability specifically targets the IR_FSTORE instruction which handles field stores in the LuaJIT bytecode optimizer. The issue manifests when the compiler encounters a NULL metatable scenario during IR optimization, causing an unsinking behavior that prevents proper instruction scheduling and resource management. The vulnerability stems from a flaw in how LuaJIT's optimizer handles memory operations when metatables are absent or null, leading to a cascade of improper instruction handling that ultimately results in system resource exhaustion and application termination.

The technical flaw exists within LuaJIT's intermediate representation compiler where the IR_FSTORE instruction fails to properly handle NULL metatable conditions during optimization passes. When the JIT compiler processes code containing objects with NULL metatables, the optimization routine does not correctly account for the absence of metatable information, causing the compiler to enter an infinite loop or resource-consuming state. This behavior is classified as a denial of service vulnerability because the improper instruction handling causes the JIT compiler to consume excessive CPU cycles or memory resources, effectively rendering the application unresponsive. The vulnerability operates at the compiler level rather than the runtime level, making it particularly dangerous as it can affect applications that rely heavily on dynamic code generation and JIT compilation.

The operational impact of CVE-2024-25177 extends beyond simple application crashes to encompass broader system stability concerns, particularly in environments where LuaJIT is used for high-performance computing or web application frameworks. Attackers can exploit this vulnerability by crafting specific input patterns that trigger the NULL metatable condition during JIT compilation, leading to sustained resource exhaustion that can affect system availability. This vulnerability aligns with CWE-400 which addresses "Uncontrolled Resource Consumption" and demonstrates the critical importance of proper resource management in JIT compilers. The DoS condition can be triggered through various means including malformed input data, malicious scripts, or crafted API calls that force the JIT compiler to process objects with NULL metatables, making it a significant threat to service availability and system reliability.

Organizations utilizing LuaJIT should implement immediate mitigations including updating to patched versions of LuaJIT where available, implementing input validation and sanitization routines to prevent triggering the vulnerable code paths, and monitoring for unusual CPU or memory consumption patterns that may indicate exploitation attempts. The vulnerability also highlights the importance of proper compiler optimization testing and the need for comprehensive security reviews of JIT compilation engines. System administrators should consider implementing rate limiting and resource constraints on applications that utilize LuaJIT to prevent exploitation from causing widespread system degradation. This vulnerability demonstrates the critical nature of compiler security and the potential for low-level implementation flaws to create significant operational risks, particularly in high-availability environments where such denial of service conditions can have cascading effects across dependent services and applications.

Responsible

MITRE

Reservation

02/07/2024

Disclosure

07/07/2025

Moderation

accepted

CPE

ready

EPSS

0.00455

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!