CVE-2025-59336

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-59336

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59336.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59336

Aliases

GHSA-42c5-x4pj-4p3w

Published

2025-09-16T16:59:17.505Z

Modified

2026-04-02T12:56:58.989452Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Relative Path Traversal in Luanox

Details

Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59336.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22",
        "CWE-23"
    ]
}

References

Affected packages

Git / github.com/lumen-oss/luanox

Affected ranges

Type: GIT
Repo: https://github.com/lumen-oss/luanox
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2b6237f3baaa1d905c491fca29f8301835721c46

Type: GIT
Repo: https://github.com/lumen-oss/luanox
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5198640c9644e2fcef5809f83b9ab0a9b4d0eeb2

Affected versions

v0.*

v0.1.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59336.json"