Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6.
AnalysisAI
Denial of service in Algernon web server versions prior to 1.17.6 stems from a race condition in the Lua handler engine where the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute on the non-goroutine-safe gopher-lua LState. Concurrent HTTP requests corrupt the shared Lua VM state, causing server instability. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but reproduction is trivial under modest load (ab -n 1000 -c 100).
Technical ContextAI
Algernon is a self-contained pure-Go web server written by xyproto that embeds gopher-lua for server-side scripting. The flaw is a classic CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, aka race condition): the engine/luahandler.go file acquires a sync.RWMutex around LoadCommonFunctions but releases it before invoking L.Push() and L.PCall() on the gopher-lua LState. Gopher-lua's LState object is explicitly documented as not goroutine-safe, so simultaneous HTTP request handlers operating on the same LState race on shared internal pointers, stacks, and registries, leading to VM corruption that the Go race detector flags immediately.
RemediationAI
Vendor-released patch: upgrade Algernon to version 1.17.6 or later, which corrects the mutex scope in engine/luahandler.go so the RWMutex is held across L.Push() and L.PCall() execution. Operators should consult the GHSA-rr2f-4wrm-h6rg advisory at https://github.com/xyproto/algernon/security/advisories/GHSA-rr2f-4wrm-h6rg and the upstream issue at https://github.com/xyproto/algernon/issues/172 for fix details. Where immediate upgrade is not possible, compensating controls include placing Algernon behind a reverse proxy that rate-limits concurrent connections per client (reducing the window for the race but not eliminating it, with the trade-off of degraded throughput for legitimate burst traffic), disabling Lua handler routes if the deployment does not require server-side scripting (eliminates the vulnerable code path but breaks any Lua-driven functionality), or restricting network exposure of the Algernon instance to trusted networks only.
All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/
Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded
Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the documen
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31866