CVE-2025-9803

Exploit

EPSS 0.12%
Veröffentlicht 25.11.2025 00:00:35
Zuletzt bearbeitet 30.12.2025 17:16:19
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version1.9.34

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.321

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security@huntr.dev	9.3	2.8	5.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6

Third Party Advisory

Exploit

https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2025-9803

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-9803

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-9803

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-9803