Regular Expression Denial of Service in Lunary by Lunary AI
CVE-2024-8998
7.5HIGH
What is CVE-2024-8998?
A Regular Expression Denial of Service vulnerability in Lunary by Lunary AI can be exploited by sending specially crafted user input to the server. The regex pattern used for matching, /{.*?}/, can lead to significant server delays while processing certain inputs due to its polynomial time complexity in the default JavaScript regex engine. This allows attackers to disrupt services by causing the server to hang for an arbitrary amount of time. An update to version 1.4.26 addresses this issue, enhancing the product's resilience against such attacks.
Affected Version(s)
lunary-ai/lunary < 1.4.26
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved