Reproduction lua, this should not throw/error. It is a valid regex and source string. There is some bug in the old-old (2015?) KopiLua_strlib.cs and it is loosing track of the input state.

var code = "string.gsub('some words for spacing error reasons <script>alert(""hello world"")</script>','^%s*(.-)%s*$','%1')";
var script = new Script();
script.DoString(code); //should not throw in this case

Sample code came after reproducing and narrowing some live-ish code I found while doing a security audit on regex complexities.

Upstream KopiLua seems to have an older PR that may fix this? https://github.com/NLua/KopiLua/pull/21/files but I haven't had a chance to merge-refactor it in to our local moonsharp fork yet.