CVE-2024-8763 is a Regular Expression Denial of Service (ReDoS) vulnerability identified in the lunary-ai/lunary repository, specifically within the compileTextTemplate function. The vulnerability stems from the use of the regular expression /{{(.*?)}}/g, which is susceptible to catastrophic backtracking due to its inefficient pattern design. When an attacker submits input containing a large number of braces, the regex engine's processing time grows polynomially, causing the server to hang and become unresponsive. This effectively results in a denial of service condition. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The affected versions are unspecified, but the vulnerability was identified in the git commit be54057. The CVSS v3.0 score is 7.5, reflecting a high severity due to the ease of exploitation and the impact on availability. No patches or fixes have been linked yet, and no known exploits have been observed in the wild. The root cause is the inefficient regular expression pattern that can be optimized or replaced to prevent excessive backtracking. This vulnerability highlights the risks of using complex regex patterns without proper safeguards in input processing functions.

For European organizations using lunary-ai/lunary, this vulnerability poses a significant risk of denial of service attacks that can disrupt critical services relying on this software. The server hang caused by the ReDoS attack can lead to downtime, degraded performance, and potential loss of availability for end users. This can affect business continuity, especially for organizations that integrate lunary-ai/lunary into customer-facing applications or internal automation tools. The lack of authentication requirement means attackers can exploit this remotely, increasing the attack surface. Additionally, prolonged service outages may lead to reputational damage and potential regulatory scrutiny under European data protection laws if service availability impacts user data processing. The vulnerability does not directly compromise confidentiality or integrity but severely impacts availability, which is critical for operational resilience.

To mitigate CVE-2024-8763, organizations should implement several specific measures: 1) Apply input validation to restrict or sanitize inputs containing excessive braces or suspicious patterns before they reach the vulnerable regex processing function. 2) Limit the size and complexity of user inputs to reduce the risk of triggering catastrophic backtracking. 3) Monitor application logs and performance metrics for signs of hanging or slow response times indicative of ReDoS attempts. 4) If possible, replace the vulnerable regular expression with a more efficient pattern or use alternative parsing methods that do not rely on regex prone to backtracking. 5) Stay alert for official patches or updates from lunary-ai and apply them promptly once available. 6) Employ web application firewalls (WAFs) or rate limiting to detect and block suspicious input patterns targeting this vulnerability. 7) Conduct code reviews and static analysis focusing on regex usage to proactively identify similar risks in other parts of the codebase.