CVE-2024-25176

Description

LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.

How to fix CVE-2024-25176

To remediate CVE-2024-25176, upgrade the affected package to a fixed version below.

• Alpine/luajit—upgrade to 2.1_p20240815-r1 or later
• Debian/luajit—upgrade to 2.1.0~beta3+dfsg-5.3+deb11u1 or later

Is CVE-2024-25176 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.1_p20240815-r1
• from 0, < 2.1.0~beta3+dfsg-5.3+deb11u1

CVSS scores

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-25176
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-25176