Medium severityOSV Advisory· Published Sep 16, 2025· Updated Apr 15, 2026
CVE-2025-59336
CVE-2025-59336
Description
Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.
Affected products
1Patches
22b6237f3baaafix: restrict allowed package names
1 file changed · +1 −0
luanox/lib/luanox/packages/package.ex+1 −0 modified@@ -32,6 +32,7 @@ defmodule LuaNox.Packages.Package do |> cast(attrs, [:name]) |> validate_required([:name]) |> unique_constraint(:name) + |> validate_format(:name, ~r/^[a-zA-Z0-9_\-]+$/) # Recast here to prevent the user from changing the package name |> cast(attrs, [:summary, :description]) |> validate_length(:name, min: 1, max: 20)
5198640c9644fix: relative path traversal via malformed package names
1 file changed · +45 −43
luanox-rockspec-verifier/lib/luanox_rockspec_verifier/rockspec.ex+45 −43 modified@@ -5,55 +5,57 @@ defmodule LuanoxRockspecVerifier.Rockspec do }) do sandboxed_state = :luerl_sandbox.init() - case :luerl_sandbox.run( - rockspec, - %{ - max_reductions: 500 - # max_time: ... - }, - sandboxed_state - ) do - {:ok, _, state} -> - with {:ok, "3.0", _} <- Luerl.get_table_keys_dec(state, ["rockspec_format"]), - {:ok, ^expected_name, _} <- - Luerl.get_table_keys_dec(state, ["package"]), - {:ok, ^expected_version, _} <- - Luerl.get_table_keys_dec(state, ["version"]), - {:ok, source, _} <- Luerl.get_table_keys_dec(state, ["source"]), - {:ok, build, _} <- Luerl.get_table_keys_dec(state, ["build"]) do - {has_tag_or_hash, has_git_url} = - Enum.reduce(source, {false, false}, fn - {tag_or_hash, _}, {_, has_url} when tag_or_hash in ["tag", "hash"] -> - {true, has_url} + Regex.match?(~r/^[a-zA-Z0-9_\-]+$/, expected_name) and + case :luerl_sandbox.run( + rockspec, + %{ + max_reductions: 500 + # max_time: ... + }, + sandboxed_state + ) do + {:ok, _, state} -> + with {:ok, %Version{}} <- Version.parse(expected_version), + {:ok, "3.0", _} <- Luerl.get_table_keys_dec(state, ["rockspec_format"]), + {:ok, ^expected_name, _} <- + Luerl.get_table_keys_dec(state, ["package"]), + {:ok, ^expected_version, _} <- + Luerl.get_table_keys_dec(state, ["version"]), + {:ok, source, _} <- Luerl.get_table_keys_dec(state, ["source"]), + {:ok, build, _} <- Luerl.get_table_keys_dec(state, ["build"]) do + {has_tag_or_hash, has_git_url} = + Enum.reduce(source, {false, false}, fn + {tag_or_hash, _}, {_, has_url} when tag_or_hash in ["tag", "hash"] -> + {true, has_url} - {"url", "git+" <> _}, {has_tag, _} -> - {has_tag, true} + {"url", "git+" <> _}, {has_tag, _} -> + {has_tag, true} - {"url", "git://" <> _}, {has_tag, _} -> - {has_tag, true} + {"url", "git://" <> _}, {has_tag, _} -> + {has_tag, true} - _, acc -> - acc - end) + _, acc -> + acc + end) + + has_url = + has_git_url or + Enum.any?(source, fn + {"url", _} -> true + _ -> false + end) - has_url = - has_git_url or - Enum.any?(source, fn - {"url", _} -> true + ((has_tag_or_hash and has_git_url) or has_url) and + Enum.any?(build, fn + {"type", _} -> true _ -> false end) + else + _ -> false + end - ((has_tag_or_hash and has_git_url) or has_url) and - Enum.any?(build, fn - {"type", _} -> true - _ -> false - end) - else - _ -> false - end - - {:error, _} -> - false - end + {:error, _} -> + false + end end end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.