LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS).

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1357 advisory.

    There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero     copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption     issues. The data sent by the application may be corrupted before transmission over the network thus     leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend     upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 (CVE-2024-11407)

    LuaJIT through 2.1 has a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. (CVE-2024-25176)

    LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service     (DoS). (CVE-2024-25177)

    LuaJIT through 2.1 has an out-of-bounds read in the stack-overflow handler in lj_state.c (CVE-2024-25178)

    When libcurl is asked to perform automatic gzip decompression ofcontent-encoded HTTP responses with the     `CURLOPT_ACCEPT_ENCODING` option,**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow     wouldmake libcurl perform a buffer overflow. (CVE-2025-0725)

    Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. Versions 1.34.0 through 1.34.4 and 1.35.0 contain a use-after-free (UAF) vulnerability in     the DNS cache, causing abnormal process termination. The vulnerability is in Envoy's Dynamic Forward Proxy     implementation, occurring when a completion callback for a DNS resolution triggers new DNS resolutions or     removes existing pending resolutions. This condition may occur when the following conditions are met:
    dynamic Forwarding Filter is enabled, the `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime     flag is enabled, and the Host header is modified between the Dynamic Forwarding Filter and Router filters.
    This issue is resolved in versions 1.34.5 and 1.35.1. To work around this issue, set the     envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag to false. (CVE-2025-54588)

    Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0,     insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When     configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure     attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing     the session cookie to persist. This allows a user to remain logged in after they believe they have logged     out, creating a session hijacking risk on shared computers. The current implementation iterates through     the configured cookie names to generate deletion headers but does not check for these prefixes. This     failure to properly construct the deletion header means the user's session cookies are never removed by     the browser, leaving the session active and allowing the next user of the same browser to gain     unauthorized access to the original user's account and data. This is fixed in versions 1.32.10, 1.33.7,     1.34.5 and 1.35.1. (CVE-2025-55162)

    Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10,     large requests and responses can potentially trigger TCP connection pool crashes due to flow control     management in Envoy. It will happen when the connection is closing but upstream data is still coming,     resulting in a buffer watermark callback nullptr reference. The vulnerability impacts TCP proxy and HTTP 1     & 2 mixed use cases based on ALPN. This vulnerability is fixed in 1.36.1, 1.35.5, 1.34.9, and 1.33.10.
    (CVE-2025-62409)

    Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and     1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the     response phase rewrites a response body so that its size exceeds the configured     per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the     original response headers, leaving dangling references and causing a crash. This results in denial of     service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing     per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing     per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the     condition but does not correct the underlying memory safety flaw. (CVE-2025-62504)

    Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier,     Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed     is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is     caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError()     callback triggers processing of the second token, which calls fetch() again on the same fetcher object.
    The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes     a crash when the async HTTP response arrives. (CVE-2025-64527)

    Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier,     when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before     issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy     upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel     state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments.
    The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests     that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a     CONNECT tunnel. (CVE-2025-64763)

    Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier,     Envoy's mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates     containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches. (CVE-2025-66220)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of ecs-service-connect-agent installed on the remote host is prior to v1.34.4.2-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2025-093 advisory.

    There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero     copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption     issues. The data sent by the application may be corrupted before transmission over the network thus     leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend     upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 (CVE-2024-11407)

    LuaJIT through 2.1 has a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. (CVE-2024-25176)

    LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service     (DoS). (CVE-2024-25177)

    LuaJIT through 2.1 has an out-of-bounds read in the stack-overflow handler in lj_state.c (CVE-2024-25178)

    When libcurl is asked to perform automatic gzip decompression ofcontent-encoded HTTP responses with the     `CURLOPT_ACCEPT_ENCODING` option,**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow     wouldmake libcurl perform a buffer overflow. (CVE-2025-0725)

    Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. Versions 1.34.0 through 1.34.4 and 1.35.0 contain a use-after-free (UAF) vulnerability in     the DNS cache, causing abnormal process termination. The vulnerability is in Envoy's Dynamic Forward Proxy     implementation, occurring when a completion callback for a DNS resolution triggers new DNS resolutions or     removes existing pending resolutions. This condition may occur when the following conditions are met:
    dynamic Forwarding Filter is enabled, the `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime     flag is enabled, and the Host header is modified between the Dynamic Forwarding Filter and Router filters.
    This issue is resolved in versions 1.34.5 and 1.35.1. To work around this issue, set the     envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag to false. (CVE-2025-54588)

    Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0,     insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When     configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure     attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing     the session cookie to persist. This allows a user to remain logged in after they believe they have logged     out, creating a session hijacking risk on shared computers. The current implementation iterates through     the configured cookie names to generate deletion headers but does not check for these prefixes. This     failure to properly construct the deletion header means the user's session cookies are never removed by     the browser, leaving the session active and allowing the next user of the same browser to gain     unauthorized access to the original user's account and data. This is fixed in versions 1.32.10, 1.33.7,     1.34.5 and 1.35.1. (CVE-2025-55162)

    Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10,     large requests and responses can potentially trigger TCP connection pool crashes due to flow control     management in Envoy. It will happen when the connection is closing but upstream data is still coming,     resulting in a buffer watermark callback nullptr reference. The vulnerability impacts TCP proxy and HTTP 1     & 2 mixed use cases based on ALPN. This vulnerability is fixed in 1.36.1, 1.35.5, 1.34.9, and 1.33.10.
    (CVE-2025-62409)

    Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and     1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the     response phase rewrites a response body so that its size exceeds the configured     per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the     original response headers, leaving dangling references and causing a crash. This results in denial of     service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing     per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing     per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the     condition but does not correct the underlying memory safety flaw. (CVE-2025-62504)

    Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier,     Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed     is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is     caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError()     callback triggers processing of the second token, which calls fetch() again on the same fetcher object.
    The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes     a crash when the async HTTP response arrives. (CVE-2025-64527)

    Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier,     when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before     issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy     upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel     state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments.
    The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests     that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a     CONNECT tunnel. (CVE-2025-64763)

    Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier,     Envoy's mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates     containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches. (CVE-2025-66220)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03378-1 advisory.

    - CVE-2024-25176: Fixed stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c (bsc#1246077)
    - CVE-2024-25177: Fixed unsinking of IR_FSTORE for NULL metatable (bsc#1246078)
    - CVE-2024-25178: Fixed out-of-bounds read in the stack-overflow handler in lj_state.c (bsc#1246079)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4283 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4283-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                       Guilhem Moulin     August 25, 2025                               https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : luajit     Version        : 2.1.0~beta3+dfsg-5.3+deb11u1     CVE ID         : CVE-2019-19391 CVE-2020-15890 CVE-2020-24372 CVE-2024-25176                      CVE-2024-25177 CVE-2024-25178     Debian Bug     : 946053 966148

    Multiple vulnerabilities were found in luajit, a just in time compiler     for the Lua programming language, which could lead to denial of service.

    CVE-2019-19391

        It was discovered that debug.getinfo() has a type confusion issue         that leads to arbitrary memory write or read operations, because         certain cases involving valid stack levels and `>` options are         mishandled.

        NOTE: The LuaJIT project owner disputes the vulnerability and states         that the debug library is unsafe by design.

    CVE-2020-15890

        Yongheng Chen discovered an out-of-bounds read because `__gc`         handler frame traversal is mishandled.

    CVE-2020-24372

        Yongheng Chen discovered out-of-bounds read in lj_err_run().

    CVE-2024-25176

        Kutyavin Maxim discovered a stack-buffer-overflow in         lj_strfmt_wfnum().

    CVE-2024-25177

        Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL         metatable.

    CVE-2024-25178

        Kutyavin Maxim discovered an out-of-bounds read in the         stack-overflow handler.

    For Debian 11 bullseye, these problems have been fixed in version     2.1.0~beta3+dfsg-5.3+deb11u1.

    We recommend that you upgrade your luajit packages.

    For the detailed security status of luajit please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/luajit

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0597 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2024-25178:
    LuaJIT through 2.1 has an out-of-bounds read in the stack-overflow handler in lj_state.c

    CVE-2024-25177:
    LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service     (DoS).

    CVE-2024-25176:
    LuaJIT through 2.1 has a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02886-1 advisory.

    - CVE-2024-25176: Fixed stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c (bsc#1246077)
    - CVE-2024-25177: Fixed unsinking of IR_FSTORE for NULL metatable (bsc#1246078)
    - CVE-2024-25178: Fixed ut-of-bounds read in the stack-overflow handler in lj_state.c (bsc#1246079)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL     metatable, which leads to Denial of Service (DoS). (CVE-2024-25177)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
282371	Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2025-1357)	Nessus	Amazon Linux Local Security Checks	high
281808	Amazon Linux 2 : ecs-service-connect-agent, --advisory ALAS2ECS-2025-093 (ALASECS-2025-093)	Nessus	Amazon Linux Local Security Checks	high
266012	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : luajit (SUSE-SU-2025:03378-1)	Nessus	SuSE Local Security Checks	critical
255190	Debian dla-4283 : libluajit-5.1-2 - security update	Nessus	Debian Local Security Checks	critical
253453	TencentOS Server 4: luajit (TSSA-2025:0597)	Nessus	Tencent Local Security Checks	critical
252927	openSUSE 15 Security Update : lua51-luajit (SUSE-SU-2025:02886-1)	Nessus	SuSE Local Security Checks	critical
246869	Linux Distros Unpatched Vulnerability : CVE-2024-25177	Nessus	Misc.	high

Detections

Analytics

CVE-2024-25177

high

Tenable Plugins

high

high

critical

critical

critical

critical

high