Primary

Context

Luanti LuaJIT Sandbox Escape Vulnerability

Vulnerability

A vulnerability in Luanti versions 5.0.0 prior to 5.15.2, when using LuaJIT, allows a crafted mod to escape a Lua sandbox. This escape can lead to the execution of arbitrary code and unrestricted access to the filesystem on the user's device. The issue affects both server-side and client-side environments.

Impact

Exploitation of this vulnerability allows for a complete escape from the Lua sandbox, enabling the execution of arbitrary code and full access to the filesystem on the user's device.

Remediation

Users can update to Luanti version 5.15.2 or newer to address this vulnerability. Alternatively, on release versions, the issue can be patched without recompiling by editing 'builtin/init.lua' to remove the 'getfenv' function, though this may break some mods that rely on it.

Added: Apr 16, 2026, 1:23 AM

Updated: Apr 16, 2026, 1:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.5

remediation

0.0

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.5

remediation

0.0

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Luanti LuaJIT Sandbox Escape Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating