CVE-2025-4962
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-08-18
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lunary | api | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Lunary API's POST /v1/templates endpoint. It allows authenticated users to create templates in projects they do not own by changing the projectId query parameter. The root cause is the lack of server-side validation to confirm that the user owns the specified projectId before allowing the action. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user to manipulate the projectId parameter to create templates in other users' projects without authorization. This unauthorized access can lead to data integrity issues, unauthorized modifications, and potential misuse of project resources. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring API requests to the POST /v1/templates endpoint and checking if authenticated users are able to create templates in projects they do not own by altering the projectId query parameter. You can use network traffic inspection tools like curl or HTTP clients to test this behavior. For example, using curl: curl -X POST "https://your-lunary-api/v1/templates?projectId=some-other-users-project" -H "Authorization: Bearer <valid_token>" -d '{"templateData":...}' and observing if the request succeeds without authorization errors indicates the vulnerability. Additionally, reviewing server logs for unauthorized access attempts or the presence of the error message "Unauthorized access to project" can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Lunary API to version 1.9.23 or later, where the vulnerability has been fixed. The fix includes proper authorization checks to ensure that the authenticated user owns the specified projectId before allowing template creation. If upgrading is not immediately possible, implement server-side authorization checks to verify user ownership of the projectId in the POST /v1/templates endpoint, reject unauthorized requests with HTTP 401 status, and add logging to monitor unauthorized access attempts. [1]