Primary

Context

DragonflyDB Dragonfly Denial-of-Service Vulnerability via Lua Library Command

Vulnerability

Patched

A denial-of-service vulnerability has been identified in DragonflyDB Dragonfly versions through 1.28.2, allowing authenticated users to cause the daemon to crash. This issue arises from a Lua library command that references a large negative integer, leading to a stack buffer overflow. The vulnerability has been fixed in version 1.29.0.

Impact

Exploitation of this vulnerability causes the DragonflyDB service to crash, disrupting any active processes or connections.

Reproduction

To reproduce this vulnerability, first ensure you are using DragonflyDB Dragonfly version 1.26.1 or earlier. After starting the DragonflyDB server, authenticate a user and execute a Lua command using the EVAL command. The payload should include a reference to a large negative integer, such as -2147483648. This command will cause the server to crash immediately.

Remediation

Users can upgrade to DragonflyDB Dragonfly version 1.29.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DragonflyDB Dragonfly Denial-of-Service Vulnerability via Lua Library Command

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DragonflyDB Dragonfly

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating