CVE-2024-8789

HIGH

Lunary-ai/lunary <105a3f6 - ReDoS

Title source: llm

Description

Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime complexity relative to the input size, leading to potential denial of service. An attacker can exploit this by submitting a specially crafted regular expression, causing the server to become unresponsive for an arbitrary length of time.

References (2)

[Patch] https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa

[Exploit, Third Party Advisory] https://huntr.com/bounties/e32f5f0d-bd46-4268-b6b1-619e07c6fda3

Scores

CVSS v3 7.5

EPSS 0.0047

EPSS Percentile 64.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (1)

lunary/lunary < 1.4.23

Published Mar 20, 2025

Tracked Since Feb 18, 2026