CVE-2024-45597

MEDIUM

Pluto - SSRF

Title source: llm

Description

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

References (2)

[Vendor Advisory] https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7

[Patch] https://github.com/PlutoLang/Pluto/pull/945

Scores

CVSS v3 5.3

EPSS 0.0076

EPSS Percentile 73.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (1)

pluto-lang/pluto 0.9.0 - 0.9.5

Published Sep 10, 2024

Tracked Since Feb 18, 2026