CVE-2025-4779

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16	Patch
https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4d	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

03 Dec 2025, 20:33

Type	Values Removed	Values Added
First Time		Lunary lunary Lunary
CPE		cpe:2.3:a:lunary:lunary::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~9.1~~	v2 : unknown v3 : 6.1
References	~~() https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16 -~~	() https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16 - Patch
References	~~() https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4d -~~	() https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4d - Exploit, Patch, Third Party Advisory

Information

Published : 2025-07-07 10:15

Updated : 2025-12-03 20:33

NVD link : CVE-2025-4779

Mitre link : CVE-2025-4779

CVE.ORG link : CVE-2025-4779

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-4779", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-07-07T10:15:28.717", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4d", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions."}, {"lang": "es", "value": "Las versiones de lunary-ai/lunary anteriores a la 1.9.24 son vulnerables a cross site scripting (XSS) almacenado. Un atacante no autenticado puede inyectar JavaScript malicioso en el endpoint `v1/runs/ingest` a\u00f1adiendo un campo `citations` vac\u00edo, lo que activa una ruta de c\u00f3digo donde se usa `dangerouslySetInnerHTML` para renderizar texto controlado por el atacante. Esta vulnerabilidad permite la ejecuci\u00f3n de JavaScript arbitrario en el contexto del navegador del usuario, lo que podr\u00eda provocar secuestro de sesi\u00f3n, robo de datos u otras acciones maliciosas."}], "lastModified": "2025-12-03T20:33:57.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3B8B17D-ABA8-4A7C-96FF-61FC3CA3C694", "versionEndExcluding": "1.9.24"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}