CVE-2025-4779

Exploit

EPSS 0.42%
Veröffentlicht 07.07.2025 09:53:10
Zuletzt bearbeitet 03.12.2025 20:33:57
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Stored Cross-site Scripting (XSS) in lunary-ai/lunary

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version < 1.9.24

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.33

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security@huntr.dev	9.1	3.9	5.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4d

Patch

Third Party Advisory

Exploit

https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836b16

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-4779

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-4779

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-4779

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-4779