CVE-2024-39702

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-39702

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39702.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39702

Published

2024-07-23T16:15:05Z

Modified

2025-06-07T10:01:48.287141Z

Summary

[none]

Details

In ljstrhash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.

References

https://openresty.org/en/ann-1025003002.html

Affected packages

Git / github.com/openresty/openresty

Affected ranges

Type: GIT
Repo: https://github.com/openresty/openresty
Events: Introduced

de3e659ef52237491babf62e784f322b146fdb1a

Fixed

800f908fd2959f0d139eb36698fdad7fb686eea1

Affected versions

v1.*

v1.19.3.1

v1.19.9.1

v1.19.9.1rc1

v1.21.4.1

v1.21.4.1rc1

v1.21.4.1rc2

v1.21.4.1rc3

v1.21.4.2

v1.21.4.2rc1