Relative Path Traversal in Luanox_CVE-2025-59336

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Description

Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.

Basic Information

ID CVE-2025-59336

Source GitHub_M

Published Sep 16, 2025 at 16:59

Affected Product

Vendor lumen-oss

Product luanox

Version < 0.1.1

Affected Versions lumen-oss luanox < 0.1.1

CWE Classification

CWE-22 CWE-23

References

{
    "lastseen": "",
    "description": "Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.",
    "published": "2025-09-16T16:59:17.505Z",
    "modified": "2025-09-16T16:59:17.505Z",
    "type": "cve",
    "title": "Relative Path Traversal in Luanox",
    "source": "GitHub_M",
    "references": "https://github.com/lumen-oss/luanox/security/advisories/GHSA-42c5-x4pj-4p3w\nhttps://github.com/lumen-oss/luanox/commit/2b6237f3baaa1d905c491fca29f8301835721c46\nhttps://github.com/lumen-oss/luanox/commit/5198640c9644e2fcef5809f83b9ab0a9b4d0eeb2",
    "id": "CVE-2025-59336",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-23"
    ],
    "cvelist": null,
    "sourceData": "lumen-oss luanox < 0.1.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "luanox",
    "version": "< 0.1.1",
    "vendor": "lumen-oss",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}