CVE-2024-8763 in lunary
Summary
by MITRE • 03/20/2025
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression's susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2025
The vulnerability identified as CVE-2024-8763 represents a critical Regular Expression Denial of Service (ReDoS) flaw within the lunary-ai/lunary repository, specifically affecting the compileTextTemplate function in the git commit be54057. This security weakness stems from the improper implementation of regular expression patterns that process template variables within text content. The affected regex pattern /{{(.*?)}}/g demonstrates a classic ReDoS vulnerability pattern where the nested quantifiers create exponential time complexity when processing maliciously crafted input. The vulnerability operates by exploiting the greedy nature of the quantifier sequence that allows for backtracking, causing the regular expression engine to perform an excessive number of operations when encountering inputs with repeated or nested braces.
The technical implementation of this vulnerability occurs when the compileTextTemplate function processes user-supplied or untrusted input containing template syntax. The regex pattern {{(.?)}} uses a non-greedy quantifier .? which, when combined with the outer braces, creates a scenario where the regular expression engine must explore multiple potential matches through backtracking. When an attacker supplies input with a large number of nested or repeated braces, the regex engine's computational complexity escalates to second-degree polynomial time complexity, leading to severe performance degradation and eventual system unresponsiveness. This pattern directly aligns with CWE-400, which categorizes improper input validation as a primary cause of denial of service vulnerabilities, and specifically relates to CWE-1321 which addresses regular expression vulnerabilities.
The operational impact of CVE-2024-8763 is substantial as it can lead to complete service disruption and denial of access for legitimate users. When exploited, the vulnerability causes the server to consume excessive CPU resources and memory, potentially leading to complete system hangs or crashes. The attack surface is particularly concerning in web applications where user input is processed through the compileTextTemplate function, as attackers can craft malicious payloads that cause the application to become unresponsive for extended periods. This vulnerability can be exploited by any user who can submit input to the affected function, making it particularly dangerous in multi-user environments or public-facing applications. The computational overhead grows exponentially with input size, meaning even moderately sized malicious inputs can cause significant disruption to system availability and service delivery.
Mitigation strategies for CVE-2024-8763 should focus on both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities. The most effective immediate solution involves replacing the vulnerable regex pattern with a more secure implementation that avoids backtracking issues, such as using bounded quantifiers or implementing iterative parsing instead of regex-based parsing. Organizations should also implement input validation and sanitization measures to limit the size and complexity of template inputs. Additionally, rate limiting and resource monitoring should be implemented to detect and prevent exploitation attempts. The fix should align with ATT&CK technique T1496 which addresses resource exhaustion attacks, and should incorporate defensive programming practices that prevent regex-based denial of service conditions. System administrators should also consider implementing automated security scanning tools that can detect similar regex vulnerabilities in other parts of the application codebase to prevent future incidents.