{"id":"CVE-2024-25178","details":"LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an out-of-bounds read in the stack-overflow handler in lj_state.c.","modified":"2026-03-23T05:12:04.558434644Z","published":"2025-07-07T17:15:27.527Z","related":["CGA-rcfx-q3h7-6q9q","SUSE-SU-2025:02886-1","SUSE-SU-2025:03378-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00022.html"},{"type":"ADVISORY","url":"https://gist.github.com/pwnhacker0x18/423b4292f301ab274b42d5ed6e0b87d8"},{"type":"REPORT","url":"https://github.com/LuaJIT/LuaJIT/issues/1152"},{"type":"FIX","url":"https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8"},{"type":"FIX","url":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/luajit/luajit","events":[{"introduced":"0"},{"last_affected":"2090842410e0ba6f81fad310a77bf5432488249a"},{"fixed":"defe61a56751a0db5f00ff3ab7b8f45436ba74c8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1"}]}},{"type":"GIT","repo":"https://github.com/openresty/luajit2","events":[{"introduced":"0"},{"fixed":"defe61a56751a0db5f00ff3ab7b8f45436ba74c8"}]}],"versions":["v2.0.0","v2.0.0-beta1","v2.0.0-beta10","v2.0.0-beta11","v2.0.0-beta2","v2.0.0-beta2-hotfix2","v2.0.0-beta3","v2.0.0-beta4","v2.0.0-beta5","v2.0.0-beta6","v2.0.0-beta7","v2.0.0-beta8","v2.0.0-beta8-fixed","v2.0.0-beta9","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.1","v2.0.1-fixed","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.ROLLING"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","target":{"file":"src/lj_err.h"},"id":"CVE-2024-25178-027b122f","signature_type":"Line","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","digest":{"line_hashes":["54050595518120967622896392845927167681","15070245444666457301793099561169003833","320681905010042593851437360386241621384","314491342751211321455725763182361569391"],"threshold":0.9},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_err.c"},"id":"CVE-2024-25178-088621e0","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Line","digest":{"line_hashes":["175265014896106002403946613573786699968","197399067499152755998847627260198159960","116940952920393853474400420530029569999","17195866420894312641159619656422570504","270305923755407770796822705000165410927","191473466209037161331382735023326294999","103866882458321787333621118024924364456","286528071522097903130088633731689501022","205418231937864698460410781796669678690","210835692443088131349037926938450397004","175274725561173045038395520611593296651","279102159455966962128442334341789984528","74967209383444881529968484594066922671"],"threshold":0.9},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_state.c"},"id":"CVE-2024-25178-16d06e12","signature_type":"Line","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","digest":{"line_hashes":["277024855705172535011344108957442779773","193341672357919148145521472639704451384","239817343184206947973547231590700306149","271657220955694740216157348712103466851","151015622724334242152379780113683322815","208884359861957586290619840674240379838","137851220125126039734150454611207961730","249763080357394971460150877036173573539","108865677583523157312376737950178335334","90513587949215906042301769096487702116","201372420145530435073427262751136916973","140081803099111383703159557805636865972","26833242892596005318803701951642670227","236427332506692914507654054535035984418","337510366572983224077165314320187776736","277971212153318530724414602621330352166","177298771810510089332421618840280769209","277010972630919169706352803208896369876","92095899878429511972813154301841668788","127592519123815158622255260146181694635","76157443837616571298013795723806884545"],"threshold":0.9},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_err.c"},"id":"CVE-2024-25178-287d868c","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Line","digest":{"line_hashes":["175265014896106002403946613573786699968","197399067499152755998847627260198159960","116940952920393853474400420530029569999","17195866420894312641159619656422570504","270305923755407770796822705000165410927","191473466209037161331382735023326294999","103866882458321787333621118024924364456","286528071522097903130088633731689501022","205418231937864698460410781796669678690","210835692443088131349037926938450397004","175274725561173045038395520611593296651","279102159455966962128442334341789984528","74967209383444881529968484594066922671"],"threshold":0.9},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_debug.c","function":"debug_framepc"},"id":"CVE-2024-25178-4bde8851","signature_type":"Function","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","digest":{"function_hash":"50067456856387634292401281977494003867","length":1548},"deprecated":false},{"signature_version":"v1","digest":{"line_hashes":["134549044816835016606906774647420951103","170817815714175202946605932544776752531","218582723080459621474861288584455163421","327053795116861641334942614506163330548"],"threshold":0.9},"id":"CVE-2024-25178-6ee6d6d4","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Line","target":{"file":"src/lj_debug.c"},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_state.c","function":"lj_state_growstack"},"id":"CVE-2024-25178-754e033d","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Function","digest":{"function_hash":"250095970941643160031860255363092946226","length":536},"deprecated":false},{"signature_version":"v1","digest":{"line_hashes":["277024855705172535011344108957442779773","193341672357919148145521472639704451384","239817343184206947973547231590700306149","271657220955694740216157348712103466851","151015622724334242152379780113683322815","208884359861957586290619840674240379838","137851220125126039734150454611207961730","249763080357394971460150877036173573539","108865677583523157312376737950178335334","90513587949215906042301769096487702116","201372420145530435073427262751136916973","140081803099111383703159557805636865972","26833242892596005318803701951642670227","236427332506692914507654054535035984418","337510366572983224077165314320187776736","277971212153318530724414602621330352166","177298771810510089332421618840280769209","277010972630919169706352803208896369876","92095899878429511972813154301841668788","127592519123815158622255260146181694635","76157443837616571298013795723806884545"],"threshold":0.9},"id":"CVE-2024-25178-7caeb2df","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Line","target":{"file":"src/lj_state.c"},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_err.h"},"id":"CVE-2024-25178-965900fb","signature_type":"Line","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","digest":{"line_hashes":["54050595518120967622896392845927167681","15070245444666457301793099561169003833","320681905010042593851437360386241621384","314491342751211321455725763182361569391"],"threshold":0.9},"deprecated":false},{"signature_version":"v1","digest":{"function_hash":"152599931405697861393702385850197640506","length":293},"id":"CVE-2024-25178-97ecb279","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Function","target":{"file":"src/lj_err.c","function":"lj_err_mem"},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_state.c","function":"lj_state_growstack"},"id":"CVE-2024-25178-a53d421c","signature_type":"Function","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","digest":{"function_hash":"250095970941643160031860255363092946226","length":536},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_err.c","function":"lj_err_run"},"id":"CVE-2024-25178-ac20fe0e","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Function","digest":{"function_hash":"74590149630808721859909653481560825931","length":552},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_debug.c","function":"debug_framepc"},"id":"CVE-2024-25178-c4cdde9f","signature_type":"Function","source":"https://github.com/openresty/luajit2/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","digest":{"length":1548,"function_hash":"50067456856387634292401281977494003867"},"deprecated":false},{"signature_version":"v1","target":{"file":"src/lj_err.c","function":"lj_err_run"},"id":"CVE-2024-25178-defbf192","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Function","digest":{"function_hash":"74590149630808721859909653481560825931","length":552},"deprecated":false},{"signature_version":"v1","digest":{"line_hashes":["134549044816835016606906774647420951103","170817815714175202946605932544776752531","218582723080459621474861288584455163421","327053795116861641334942614506163330548"],"threshold":0.9},"id":"CVE-2024-25178-f0fb33fb","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Line","target":{"file":"src/lj_debug.c"},"deprecated":false},{"signature_version":"v1","digest":{"function_hash":"152599931405697861393702385850197640506","length":293},"id":"CVE-2024-25178-fcbfadab","source":"https://github.com/luajit/luajit/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8","signature_type":"Function","target":{"file":"src/lj_err.c","function":"lj_err_mem"},"deprecated":false}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.1.0"}]},{"events":[{"introduced":"luajit2"},{"fixed":"v2.1-20240314"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25178.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}