CVE-2024-39702

MEDIUM

Openresty < 1.19.9.2 - Denial of Service

Title source: rule

Description

In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.

References (1)

[Patch] https://openresty.org/en/ann-1025003002.html

Scores

CVSS v3 5.9

EPSS 0.0078

EPSS Percentile 73.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-407

Status published

Products (2)

openresty/openresty 1.25.3.1

openresty/openresty 1.19.3.1 - 1.19.9.2

Published Jul 23, 2024

Tracked Since Feb 18, 2026