Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionCVE.org
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
AnalysisAI
Lua sandbox escape in Luanti 5.x (formerly Minetest) game engine allows malicious mod code to break out of LuaJIT security restrictions and execute arbitrary code on the host system. Affects all Luanti 5.0.0 through 5.15.1 when compiled with LuaJIT instead of standard Lua. Attackers with ability to distribute crafted mods can achieve complete system compromise with scope change (S:C in CVSS), escalating from sandboxed mod execution to full host access. No authentication required but local access needed (AV:L). Patch available in version 5.15.2 via two upstream commits. EPSS data not available; no confirmed active exploitation or public POC at time of analysis.
Technical ContextAI
Luanti (previously known as Minetest) is an open-source voxel game engine written in C++ that uses Lua scripting for game logic and mod support. The engine supports both standard Lua and LuaJIT (Just-In-Time compiler variant) as scripting backends. LuaJIT provides performance benefits but has historically presented unique security challenges for sandboxing due to its FFI (Foreign Function Interface) capabilities and JIT compilation mechanisms. This vulnerability (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) specifically affects the LuaJIT implementation's sandbox, which is designed to isolate mod code from the host operating system. The sandbox escape allows malicious Lua code within a mod to bypass security boundaries and access system-level functionality that should be restricted. The CVSS scope change (S:C) indicates the vulnerable component (LuaJIT sandbox) operates at a different privilege level than the impacted component (host system), confirming genuine privilege escalation beyond the intended mod execution context.
RemediationAI
Upgrade to Luanti 5.15.2 or later, which contains the complete fix implemented in commits 8a929dfb97aa08337f49ba1bb96a56d6557dc896 and 53cef183e2a85a4daff84ac1a9a7946f940da8f8 available at https://github.com/luanti-org/luanti. If immediate upgrade is not feasible, recompile Luanti with standard Lua interpreter instead of LuaJIT - this eliminates the vulnerable code path entirely but may reduce mod execution performance by 2-5x depending on workload. For production multiplayer servers unable to upgrade immediately, implement strict mod vetting: only load mods from trusted sources with code review, disable automatic mod downloading, and run the game engine in a sandboxed environment (container, VM, or restricted user account) to limit blast radius of successful sandbox escape. Note that switching to standard Lua may break mods with LuaJIT-specific dependencies or performance assumptions. Operators of public servers accepting user-uploaded mods should treat this as a critical-priority patch due to the trivial social engineering path (malicious mod distribution).
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23149