CVE-2025-5352

{"id": "CVE-2025-5352", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2025-08-23T07:15:32.300", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/e2e43e88cecf742bacb639ab880507bbfdfd065c", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/f1d3dbce-3c3e-480e-b81e-0e8afa05c491", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25."}, {"lang": "es", "value": "Existe una vulnerabilidad cr\u00edtica de cross-site scripting (XSS) almacenado en el componente Analytics de las versiones de lunary-ai/lunary hasta la 1.9.23. En esta vulnerabilidad, la variable de entorno NEXT_PUBLIC_CUSTOM_SCRIPT se inyecta directamente en el DOM mediante dangerouslySetInnerHTML sin ninguna validaci\u00f3n ni depuraci\u00f3n. Esto permite la ejecuci\u00f3n arbitraria de JavaScript en los navegadores de todos los usuarios si un atacante puede controlar la variable de entorno durante la implementaci\u00f3n o mediante la vulneraci\u00f3n del servidor. Esta vulnerabilidad puede provocar la apropiaci\u00f3n total de cuentas, la exfiltraci\u00f3n de datos, la distribuci\u00f3n de malware y ataques persistentes que afectan a todos los usuarios hasta que se limpie la variable de entorno. El problema se ha corregido en la versi\u00f3n 1.9.25."}], "lastModified": "2025-11-26T17:12:30.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D3374E2-FB92-4D2E-9BE7-54E8915C19E8", "versionEndExcluding": "1.9.25"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}