CVE-2024-8998

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version git f07a845 lunary-ai/lunary versions prior to 1.4.26

Description A Regular Expression Denial of Service (ReDoS) vulnerability exists in the server, which uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted user inputs. As a result, an attacker can cause the server to hang for an arbitrary amount of time by submitting a specially crafted payload.

Recommendations For lunary-ai/lunary version git f07a845, update to version 1.4.26 to resolve the issue. For lunary-ai/lunary versions prior to 1.4.26, update to version 1.4.26 to resolve the issue. As a temporary workaround, consider restricting the use of the regex /{.*?}/ to minimize the risk of exploitation.