CVE-2025-59336 is a path traversal vulnerability affecting the luanox module host for Lua packages, specifically versions prior to 0.1.1. Luanox is used to manage Lua packages, and the vulnerability arises from improper validation of package names during the rockspec verification process. The system fails to properly filter out malicious package names containing relative path sequences such as "../../package", allowing an attacker to upload files outside the intended directory. This can lead to overwriting critical Phoenix runtime files. Phoenix is a web framework, and overwriting its runtime files can cause denial of service by crashing the website or disrupting its normal operation. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no required privileges or user interaction. The impact on confidentiality is none, but integrity and availability are impacted due to potential overwriting of runtime files and service disruption. No known exploits are currently reported in the wild. The issue is fixed in version 0.1.1 of luanox by properly sanitizing package names to prevent directory traversal. Organizations using luanox versions prior to 0.1.1 should prioritize upgrading to mitigate this risk.

For European organizations, this vulnerability poses a moderate risk primarily through potential denial of service attacks on web applications using the Phoenix framework with luanox as the Lua package manager. Disruption of web services can lead to operational downtime, loss of customer trust, and potential financial losses. While confidentiality is not directly impacted, the integrity of runtime files is at risk, which could be leveraged for further attacks if combined with other vulnerabilities. Organizations in sectors relying heavily on web applications—such as e-commerce, government portals, and financial services—may experience service interruptions. The ease of exploitation (no authentication or user interaction required) increases the threat level, especially for publicly accessible services. However, the absence of known exploits in the wild and the availability of a patch reduce immediate risk if mitigations are applied promptly.

1. Immediate upgrade of luanox to version 0.1.1 or later to ensure the vulnerability is patched. 2. Implement strict input validation and sanitization on package names and file paths beyond relying solely on luanox's internal checks. 3. Employ runtime file integrity monitoring on Phoenix runtime directories to detect unauthorized changes early. 4. Restrict upload permissions and isolate the package upload process in a sandboxed environment to limit the impact of potential exploitation. 5. Monitor logs for suspicious package names containing directory traversal patterns. 6. Conduct regular security audits and penetration testing focusing on third-party module hosts and package managers. 7. Establish incident response procedures to quickly recover from potential denial of service caused by overwritten runtime files.