Description
Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime complexity relative to the input size, leading to potential denial of service. An attacker can exploit this by submitting a specially crafted regular expression, causing the server to become unresponsive for an arbitrary length of time.
CVSS Metrics
- Vector
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- none
- Scope
- unchanged
- Confidentiality
- none
- Integrity
- none
- Availability
- high
- Weaknesses
- CWE-1333NVD-CWE-noinfo
Metadata
- Primary Vendor
- LUNARY
- Published
- 3/20/2025
- Last Modified
- 10/15/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
lunary : lunary
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.