Regular Expression Denial of Service Vulnerability in Lunary by Lunary AI
CVE-2024-8789

7.5HIGH

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-8789?

Lunary AI's Lunary application is susceptible to a Regular Expression Denial of Service (ReDoS) attack, allowing users to upload custom regular expressions for server-side execution. Certain regular expressions can lead to significant delays in server response time, as they exhibit exponential runtime complexity depending on the input size. Malicious users can exploit this flaw by submitting specially designed regular expressions, potentially causing the server to become unresponsive for extended periods.

Affected Version(s)

lunary-ai/lunary < 1.4.23

References

https://huntr.com/bounties/e32f5f0d-bd46-4268-b6b1-619e07...

https://github.com/lunary-ai/lunary/commit/7ff89b0304d191...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Sep 13, 2024

Lunary-ai

What is CVE-2024-8789?

Affected Version(s)

References

CVSS V3.0

Timeline