CVE-2024-8998

CVE-2024-8998 is a Regular Expression Denial of Service (ReDoS) vulnerability in the lunary-ai/lunary server at commit git f07a845. The issue stems from the regex pattern /{.*?}/ applied to user-controlled strings, which exhibits polynomial-time complexity in the default JavaScript regex engine when processing certain crafted inputs. This affects the server's ability to process requests efficiently, as rated by a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-1333.

Any unauthenticated remote attacker can exploit this vulnerability by submitting a specially crafted payload that triggers excessive backtracking in the regex engine. Successful exploitation causes the server to hang for an arbitrary duration, resulting in a denial of service that impacts availability without requiring privileges or user interaction.

The vulnerability is fixed in lunary-ai/lunary version 1.4.26, as detailed in the patching commit at https://github.com/lunary-ai/lunary/commit/f2bfa036caf2c48686474f4560a9c5abcf5f43b7. Additional details are available via the Huntr advisory at https://huntr.com/bounties/4dbd8648-1dca-4f95-b74f-978ef030e97e. Security practitioners should upgrade to the patched version and review regex usage in Node.js applications for similar ReDoS risks.