CVE-2024-39702 identifies a Hash Denial of Service (HashDoS) vulnerability in the string hashing function implemented in lj_str_hash.c within OpenResty versions 1.19.3.1 through 1.25.3.1. This function is responsible for string interning, a process that stores unique strings efficiently to optimize memory and performance. The vulnerability arises because the hashing algorithm can be manipulated by an attacker to produce excessive hash collisions. When the OpenResty proxy processes crafted requests containing such strings, the hash table operations degrade from average O(1) to worst-case O(n) complexity, causing significant CPU and memory consumption. This can lead to resource exhaustion and denial of service with relatively few malicious requests. Notably, this vulnerability is specific to the OpenResty fork of LuaJIT (openresty/luajit2) and does not affect the original LuaJIT repository. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates that the attack is network-based, requires high attack complexity, no privileges, and no user interaction, with impact limited to availability. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is categorized under CWE-407 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')).

The primary impact of CVE-2024-39702 is on the availability of systems running vulnerable OpenResty versions. Attackers can exploit the HashDoS vulnerability to cause excessive CPU and memory usage during proxy operations, leading to denial of service conditions. This can disrupt web services, degrade performance, and potentially cause outages. Organizations relying on OpenResty as a reverse proxy or web server component may experience service interruptions, affecting end-user access and business continuity. Since exploitation requires no authentication and can be triggered remotely, the attack surface is broad. However, the high attack complexity reduces the likelihood of widespread exploitation. The vulnerability does not affect confidentiality or integrity, limiting the impact to availability. Still, denial of service in critical infrastructure or high-traffic environments can have significant operational and reputational consequences.

1. Monitor network traffic for unusual patterns indicative of hash collision attacks, such as repeated requests with similar string payloads causing high CPU usage. 2. Limit request rates and implement rate limiting or throttling on endpoints served by OpenResty to reduce the impact of crafted requests. 3. Deploy Web Application Firewalls (WAFs) with rules to detect and block suspicious request patterns targeting string hashing functions. 4. Isolate OpenResty proxy servers behind load balancers or reverse proxies that can absorb or filter malicious traffic. 5. Review and update OpenResty versions regularly; apply patches or updates from the OpenResty project as soon as they become available. 6. Consider temporary workarounds such as disabling or modifying features that heavily rely on string interning if feasible. 7. Conduct performance testing under simulated attack conditions to understand system behavior and prepare incident response plans. 8. Engage with the OpenResty community or maintainers for early access to fixes or mitigation guidance.