CVE-2025-4779
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-12-03
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lunary | lunary | to 1.9.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in lunary-ai/lunary versions prior to 1.9.24. An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field. The application then uses `dangerouslySetInnerHTML` to render this attacker-controlled text, allowing the injected JavaScript to execute in the user's browser context. This can lead to session hijacking, data theft, or other malicious actions. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in your browser when interacting with the vulnerable application. This can result in session hijacking, theft of sensitive data, unauthorized actions performed on your behalf, or other malicious activities that compromise your security and privacy. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it can lead to unauthorized access and theft of personal or sensitive data through session hijacking or data theft. Such breaches of confidentiality and data protection requirements may result in non-compliance with these regulations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring requests to the `v1/runs/ingest` endpoint for suspicious payloads containing an empty `citations` field. Look for HTTP POST requests with JSON bodies where the `citations` field is empty or malformed. Additionally, testing the endpoint by sending crafted requests with empty `citations` fields and observing if malicious JavaScript executes in the frontend can confirm the vulnerability. Specific commands depend on your environment, but for example, using curl to test the endpoint: `curl -X POST -H "Content-Type: application/json" -d '{"citations": ""}' https://your-lunary-instance/v1/runs/ingest` and then checking the frontend for script execution. Network monitoring tools or web application firewalls can be configured to alert on such suspicious payloads. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade lunary-ai/lunary to version 1.9.24 or later, where the vulnerability is fixed by removing the use of `dangerouslySetInnerHTML` and safely rendering user input. If upgrading immediately is not possible, consider implementing input validation or sanitization on the `citations` field to prevent empty or malicious inputs, and restrict access to the vulnerable endpoint. Additionally, monitor and block suspicious requests targeting the `v1/runs/ingest` endpoint until the patch can be applied. [1]