luajit CVE Vulnerabilities & Metrics

Focus on luajit vulnerabilities and metrics.

Last updated: 21 Aug 2025, 22:25 UTC

About luajit Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with luajit. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total luajit CVEs: 6
Earliest CVE date: 29 Nov 2019, 16:15 UTC
Latest CVE date: 07 Jul 2025, 17:15 UTC

Latest CVE reference: CVE-2024-25178

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical luajit CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.73

Max CVSS: 6.4

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 3
4.0-6.9 3
7.0-8.9 0
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS luajit CVEs

These are the five CVEs with the highest CVSS scores for luajit, sorted by severity first and recency.

All CVEs for luajit

CVE-2024-25178 luajit vulnerability CVSS: 0 07 Jul 2025, 17:15 UTC

LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an out-of-bounds read in the stack-overflow handler in lj_state.c.

CVE-2024-25177 luajit vulnerability CVSS: 0 07 Jul 2025, 17:15 UTC

LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS).

CVE-2024-25176 luajit vulnerability CVSS: 0 07 Jul 2025, 17:15 UTC

LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.

CVE-2020-24372 luajit vulnerability CVSS: 5.0 17 Aug 2020, 17:15 UTC

LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_run in lj_err.c.

CVE-2020-15890 luajit vulnerability CVSS: 5.0 21 Jul 2020, 22:15 UTC

LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.

CVE-2019-19391 luajit vulnerability CVSS: 6.4 29 Nov 2019, 16:15 UTC

In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However, not all users of later LuaJIT derivatives share this perspective