CVE-2024-39702

Name of the Vulnerable Software and Affected Versions OpenResty versions 1.19.3.1 through 1.25.3.1

Description The string hashing function in OpenResty allows HashDoS (Hash Denial of Service) attacks, which can cause excessive resource usage during proxy operations via crafted requests. This can potentially lead to a denial of service with relatively few incoming requests. The issue exists in the OpenResty fork in the openresty/luajit2 GitHub repository, but the LuaJIT/LuaJIT repository is unaffected.

Recommendations For OpenResty versions 1.19.3.1 through 1.25.3.1, consider disabling the string hashing function used during string interning as a temporary workaround until a patch is available. Restrict access to proxy operations to minimize the risk of exploitation. Avoid using crafted requests that could trigger the HashDoS attack.