Severity by source
Sources disagree (Medium–Critical)CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing builtin/init.lua and adding the line getfenv = nil at the end. Note that this will break mods relying on this function (which is not inherently unsafe).
AnalysisAI
Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.
Technical ContextAI
Luanti (formerly Minetest) is an open-source voxel game engine written in C++ with a Lua scripting API for mods. The platform implements a sandbox to isolate mod code execution from the underlying system. This vulnerability (CWE-94: Improper Control of Generation of Code) exploits the 'getfenv' function in LuaJIT implementations to break sandbox boundaries. LuaJIT is a just-in-time compiler for Lua that provides performance optimizations but exposes unsafe primitives when not properly restricted. The affected CPE cpe:2.3:a:luanti-org:luanti includes all versions from 5.0.0 to 5.15.1. The flaw exists across multiple Lua execution contexts: server-side mods (which run on game servers), asynchronous/mapgen environments (used for world generation), and client-side mods (CSM, which execute on player devices). The root cause is insufficient neutralization of the 'getfenv' function, which allows access to function environments outside the sandbox, enabling arbitrary native code execution through LuaJIT's FFI capabilities.
RemediationAI
Upgrade to Luanti version 5.15.2 or later, which contains the vendor-released patch available at https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896. For users unable to immediately upgrade release versions 5.0.0-5.15.1, apply the interim mitigation by editing builtin/init.lua and adding 'getfenv = nil' at the end of the file, then restarting the server/client. Note this workaround will break any legitimate mods that rely on getfenv functionality, requiring compatibility testing before deployment in production environments. Alternative compensating control: recompile Luanti without LuaJIT support, using the standard Lua interpreter instead, which eliminates the vulnerable code path but reduces scripting performance by approximately 2-5x. For server operators, restrict mod installation privileges to trusted administrators only and implement mod code review processes, though these controls only reduce attack surface and do not eliminate the vulnerability. Review all installed mods for suspicious filesystem access patterns or unusual native library loading as potential indicators of exploitation attempts.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25154