{"id":"CVE-2024-25176","details":"LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.","modified":"2026-04-12T10:24:57.137451Z","published":"2025-07-07T17:15:27.247Z","related":["CGA-fqcg-54rh-wxvf","SUSE-SU-2025:02886-1","SUSE-SU-2025:03378-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00022.html"},{"type":"ADVISORY","url":"https://gist.github.com/pwnhacker0x18/cd75d01fc7c9b6c85c183fbe5353d276"},{"type":"REPORT","url":"https://github.com/LuaJIT/LuaJIT/issues/1149"},{"type":"FIX","url":"https://github.com/openresty/luajit2/commit/343ce0edaf3906a62022936175b2f5410024cbfc"},{"type":"FIX","url":"https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/luajit/luajit","events":[{"introduced":"0"},{"last_affected":"2090842410e0ba6f81fad310a77bf5432488249a"},{"fixed":"343ce0edaf3906a62022936175b2f5410024cbfc"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1"}]}},{"type":"GIT","repo":"https://github.com/openresty/luajit2","events":[{"introduced":"0"},{"fixed":"343ce0edaf3906a62022936175b2f5410024cbfc"}]}],"versions":["v2.0.0","v2.0.0-beta1","v2.0.0-beta10","v2.0.0-beta11","v2.0.0-beta2","v2.0.0-beta2-hotfix2","v2.0.0-beta3","v2.0.0-beta4","v2.0.0-beta5","v2.0.0-beta6","v2.0.0-beta7","v2.0.0-beta8","v2.0.0-beta8-fixed","v2.0.0-beta9","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.1","v2.0.1-fixed","v2.1.0-beta1","v2.1.0-beta2","v2.1.0-beta3","v2.1.ROLLING"],"database_specific":{"vanir_signatures_modified":"2026-04-12T10:24:57Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.1.0"}]},{"events":[{"introduced":"luajit2"},{"fixed":"v2.1-20240626"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25176.json","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["184377265502471948946011847305557628028","126985615680567155763244816895876325150","256480103875299304460977140873185636357","150376957051957027109142554037398449154"]},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c"},"signature_type":"Line","id":"CVE-2024-25176-19801fc3","source":"https://github.com/openresty/luajit2/commit/343ce0edaf3906a62022936175b2f5410024cbfc"},{"digest":{"threshold":0.9,"line_hashes":["184377265502471948946011847305557628028","126985615680567155763244816895876325150","256480103875299304460977140873185636357","150376957051957027109142554037398449154"]},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c"},"signature_type":"Line","id":"CVE-2024-25176-a4706ff3","source":"https://github.com/luajit/luajit/commit/343ce0edaf3906a62022936175b2f5410024cbfc"},{"digest":{"length":9111,"function_hash":"38540755679721982889331743041600852543"},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c","function":"lj_strfmt_wfnum"},"signature_type":"Function","id":"CVE-2024-25176-da55b03f","source":"https://github.com/openresty/luajit2/commit/343ce0edaf3906a62022936175b2f5410024cbfc"},{"digest":{"length":9111,"function_hash":"38540755679721982889331743041600852543"},"signature_version":"v1","deprecated":false,"target":{"file":"src/lj_strfmt_num.c","function":"lj_strfmt_wfnum"},"signature_type":"Function","id":"CVE-2024-25176-e6c324de","source":"https://github.com/luajit/luajit/commit/343ce0edaf3906a62022936175b2f5410024cbfc"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}