CVE-2024-25178 in LuaJIT
Summary
by MITRE • 07/07/2025
LuaJIT through 2.1 has an out-of-bounds read in the stack-overflow handler in lj_state.c
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/26/2025
The vulnerability identified as CVE-2024-25178 affects LuaJIT versions up to and including 2.1, specifically targeting an out-of-bounds read condition within the stack-overflow handler implementation. This flaw exists in the lj_state.c source file and represents a critical security concern that could potentially enable arbitrary code execution or system compromise. The issue manifests when the LuaJIT interpreter encounters a stack overflow condition and attempts to handle it through its specialized error recovery mechanisms. The out-of-bounds read occurs during the stack overflow handling process, where the system accesses memory locations beyond the allocated stack boundaries, creating potential attack vectors for malicious actors.
The technical implementation of this vulnerability stems from improper bounds checking within the stack overflow recovery code path. When LuaJIT detects a stack overflow scenario, it invokes the stack-overflow handler to manage the situation and prevent interpreter crashes. However, the lj_state.c implementation fails to properly validate memory access boundaries during this recovery phase, allowing for reads beyond the intended stack limits. This type of flaw falls under CWE-129, which specifically addresses improper validation of array indices, and more broadly relates to CWE-787, which covers out-of-bounds read conditions. The vulnerability demonstrates a classic memory safety issue where the system does not adequately verify access permissions or boundaries before reading memory locations.
The operational impact of CVE-2024-25178 extends beyond simple memory access violations, as it represents a potential pathway for remote code execution in environments where LuaJIT is used to process untrusted input. Systems utilizing LuaJIT for scripting, web applications, or embedded systems may be vulnerable to exploitation if they process user-supplied data through the interpreter. Attackers could potentially craft malicious input sequences that trigger stack overflow conditions, leading to controlled memory reads that could expose sensitive data or be leveraged to execute arbitrary code. This vulnerability aligns with ATT&CK technique T1059.007, which covers scripting languages, and T1203, related to exploitation for privilege escalation. The potential for information disclosure and system compromise makes this a significant concern for organizations deploying LuaJIT in production environments.
Mitigation strategies for CVE-2024-25178 primarily involve immediate patching of affected LuaJIT installations to versions that address the out-of-bounds read condition. Organizations should prioritize updating their LuaJIT implementations to the latest stable releases that contain the necessary fixes for the stack-overflow handler. Additionally, implementing runtime protections such as stack canaries, address space layout randomization, and memory protection mechanisms can help reduce the exploitability of this vulnerability. Input validation and sanitization practices should be strengthened to prevent malicious data from triggering stack overflow conditions in the first place. Security monitoring should be enhanced to detect anomalous stack behavior patterns that might indicate exploitation attempts, while network segmentation and access controls can limit the potential damage from successful attacks. The vulnerability highlights the importance of comprehensive memory safety testing and the need for robust bounds checking in interpreter implementations that handle user input.