Luanti
Monthly
Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.
Lua sandbox escape in Luanti 5.x (formerly Minetest) game engine allows malicious mod code to break out of LuaJIT security restrictions and execute arbitrary code on the host system. Affects all Luanti 5.0.0 through 5.15.1 when compiled with LuaJIT instead of standard Lua. Attackers with ability to distribute crafted mods can achieve complete system compromise with scope change (S:C in CVSS), escalating from sandboxed mod execution to full host access. No authentication required but local access needed (AV:L). Patch available in version 5.15.2 via two upstream commits. EPSS data not available; no confirmed active exploitation or public POC at time of analysis.
Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.
Lua sandbox escape in Luanti 5.x (formerly Minetest) game engine allows malicious mod code to break out of LuaJIT security restrictions and execute arbitrary code on the host system. Affects all Luanti 5.0.0 through 5.15.1 when compiled with LuaJIT instead of standard Lua. Attackers with ability to distribute crafted mods can achieve complete system compromise with scope change (S:C in CVSS), escalating from sandboxed mod execution to full host access. No authentication required but local access needed (AV:L). Patch available in version 5.15.2 via two upstream commits. EPSS data not available; no confirmed active exploitation or public POC at time of analysis.