LuaJIT: stack-buffer overflow in LuaJIT lj_strfmt_wfnum (CVE-2024-25176) #shorts

Summary

Today we’re discussing CVE-2024-25176, a critical stack-buffer-overflow vulnerability in LuaJIT through version 2.1. This flaw allows an attacker to overflow a fixed-size buffer on the stack when formatting numeric values and could lead to code execution or denial of service. Fedora has already issued security advisories and released patches for Fedora 41 and 42 to address the issue.

Product details

LuaJIT is a high-performance Just-In-Time compiler for the Lua scripting language, used in gaming engines, embedded systems, web servers, and other performance-sensitive applications. Versions up to and including 2.1 are affected, and many Linux distributions and software projects bundle LuaJIT by default, making this a broadly impacting issue for both developers and end users.

Vulnerability type summary

The vulnerability is a classic stack-based buffer overflow in the function lj_strfmt_wfnum within lj_strfmt_num.c. It occurs when LuaJIT formats certain numeric values—specifically wide floating-point numbers—into a statically allocated buffer without proper bounds checking.

Details of the vulnerability

Inside lj_strfmt_wfnum, LuaJIT reserves a fixed-length buffer on the stack and then writes formatted numeric data into it. By crafting a specially formed format string or numeric value, an attacker can force the function to write beyond the buffer’s boundary. This overflow can overwrite return addresses or other stack metadata, potentially allowing arbitrary code execution in the context of the running process or causing a crash. The flaw was reported upstream and tracked as CVE-2024-25176; Fedora 41 and 42 users should apply the provided updates immediately.

Conclusion

CVE-2024-25176 underscores the importance of rigorous input validation and bounds checking in low-level formatting code. All users and maintainers of LuaJIT should upgrade to the patched package as soon as possible. If you build LuaJIT from source, apply the upstream fix or move to a released version beyond 2.1. Stay vigilant for further advisories and ensure your deployment pipelines include automated security testing for buffer overflows.

This chain involves the following actors

• Malicious Actor: Attempts to exploit the overflow to cause a crash or gain control
• LuaJIT Integrator: Developer or user embedding LuaJIT up to version 2.1

This following systems are involved

• LuaJIT (Just-in-time compiler for the Lua language): Contains the vulnerable formatting function

Attack entry point

• lj_strfmt_wfnum in lj_strfmt_num.c: Formats numbers into a fixed-size stack buffer without proper size checks

Remediation actions

Exploitation actions

• https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc
• https://github.com/LuaJIT/LuaJIT/issues/1149
• https://gist.github.com/pwnhacker0x18/cd75d01fc7c9b6c85c183fbe5353d276
• [2025-07-12] Fedora 42 addresses a critical LuaJIT out-of-bounds vulnerability with CVE-2024-25176.
• [2025-07-08] A critical vulnerability in LuaJIT up to version 2.1 has been discovered, allowing for buffer overflow exploitation.
• [2025-07-18] Fedora 41 issues a security advisory for a buffer overflow vulnerability in luajit, CVE-2024-25176, and provides a fix.