CVE-2019-19391

Name of the Vulnerable Software and Affected Versions LuaJIT versions 2.0.5 and earlier Moonjit versions prior to 2.1.2

Description The issue involves a type confusion problem in the debug.getinfo function, which can lead to arbitrary memory write or read operations due to mishandling of certain cases involving valid stack levels and options. The LuaJIT project owner considers the debug library unsafe by definition, but some users of later LuaJIT derivatives may have different expectations regarding its security.

Recommendations For LuaJIT versions 2.0.5 and earlier, consider disabling the debug.getinfo function as a temporary workaround until further guidance is available. For Moonjit versions prior to 2.1.2, update to version 2.1.2 or later to address the issue. At the moment, there is no information about a newer version of LuaJIT that contains a fix for this issue.