CVE-2024-8763

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression's susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa	Patch
https://huntr.com/bounties/4fb63a6e-0056-4550-a34d-e161de1c13b8	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-8763

Mitre link : CVE-2024-8763

CVE.ORG link : CVE-2024-8763

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2024-8763", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:43.867", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/4fb63a6e-0056-4550-a34d-e161de1c13b8", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression's susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input."}, {"lang": "es", "value": "Existe una vulnerabilidad de denegaci\u00f3n de servicio de expresiones regulares (ReDoS) en el repositorio lunary-ai/lunary, concretamente en la funci\u00f3n compileTextTemplate. La versi\u00f3n afectada es git be54057. Un atacante puede explotar esta vulnerabilidad manipulando la expresi\u00f3n regular /{{(.*?)}}/g, lo que provoca que el servidor se cuelgue indefinidamente y deje de responder a las solicitudes. Esto se debe a la susceptibilidad de la expresi\u00f3n regular a la complejidad temporal polin\u00f3mica de segundo grado, que puede activarse por un gran n\u00famero de llaves en la entrada."}], "lastModified": "2025-10-15T13:15:55.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1867D23D-5A19-4541-8258-E7F901C5F468", "versionEndExcluding": "1.4.23"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}