CVE-2025-59336
MEDIUMLuanox < 0.1.1 - Path Traversal and Denial of Service via Malicious Package Name
Title source: llmDescription
Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/lumen-oss/luanox/security/advisories/GHSA-42c5-x4pj-4p3w
Patch x_refsource_misc
https://github.com/lumen-oss/luanox/commit/2b6237f3baaa1d905c491fca29f8301835721c46
Scores
CVSS v4
6.9
EPSS
0.0042
EPSS Percentile
33.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
CWE-23
Status
published
Products (1)
lumen-oss/luanox
< 0.1.1
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026