diff --git a/internal/server/scripts.go b/internal/server/scripts.go
index c5bc904d..657267ab 100644
--- a/internal/server/scripts.go
+++ b/internal/server/scripts.go
@@ -124,6 +124,9 @@ func (pl *lStatePool) New() *lua.LState {
 		}
 	}
 
+	// Set package module to Nil so loaders can't be accessed
+	L.SetGlobal("package", lua.LNil)
+
 	getArgs := func(ls *lua.LState) (evalCmd string, args []string) {
 		evalCmd = ls.GetGlobal("EVAL_CMD").String()
 
diff --git a/tests/scripts_test.go b/tests/scripts_test.go
index 13d03979..82f7abcc 100644
--- a/tests/scripts_test.go
+++ b/tests/scripts_test.go
@@ -71,6 +71,7 @@ func scripts_VULN_test(mc *mockServer) error {
 		{"EVAL", "return os.getenv", "0"}, {nil},
 		{"EVAL", "return os.clock", "0"}, {"ERR Unsupported lua type: function"},
 		{"EVAL", "return loadfile", "0"}, {nil},
-		{"EVAL", "return tonumber", "0"}, {"ERR Unsupported lua type: function"},
+		{"EVAL", "return tonumber(ARGV[1])", "0", "38"}, {"38"},
+		{"EVAL", "return package", "0"}, {nil},
 	})
 }