DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24874: False Idols: Type Confusion in Xray-Monolith's LuaJIT Engine (CVE-2026-24874)

#security #cve #cybersecurity

False Idols: Type Confusion in Xray-Monolith's LuaJIT Engine (CVE-2026-24874)

Vulnerability ID: CVE-2026-24874
CVSS Score: 9.1
Published: 2026-01-27

A critical type confusion vulnerability in the embedded LuaJIT component of xray-monolith allows attackers to treat arbitrary data as function pointers. By exploiting a disabled debug assertion, malicious actors can bypass type safety, leading to arbitrary memory read/write and potential Remote Code Execution.

TL;DR

The debug.getinfo function in xray-monolith's LuaJIT implementation relied on a development-only assertion (api_check) to validate input types. In production builds, this check vanished, allowing attackers to pass non-function objects (like strings) to a function that expected a function pointer. This type confusion allows for memory corruption and RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-843
  • Attack Vector: Network
  • CVSS: 9.1 (Critical)
  • Impact: RCE / Memory Disclosure
  • Vulnerability Type: Type Confusion
  • Component: LuaJIT (lj_debug.c)

Affected Systems

  • themrdemonized/xray-monolith < 2025.12.30
  • Embedded LuaJIT implementations derived from vulnerable versions
  • xray-monolith: < 2025.12.30 (Fixed in: 2025.12.30)

Code Analysis

Commit: PR-399

Fixed type confusion in lj_debug_getinfo by adding mandatory runtime check.

Exploit Details

  • Internal Research: The vulnerability relies on bypassing the api_check macro in release builds to confuse strings for functions.

Mitigation Strategies

  • Disable the 'debug' library in Lua environments exposed to untrusted input.
  • Update xray-monolith to the latest patched release.
  • Implement strict sandboxing for any user-supplied Lua scripts.

Remediation Steps:

  1. Identify all instances of xray-monolith running versions < 2025.12.30.
  2. Apply the vendor patch or upgrade to the latest stable release.
  3. Restart the service to ensure the new LuaJIT binary is loaded.
  4. Audit Lua scripts for usage of debug.getinfo.

References

Read the full report for CVE-2026-24874 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)