CVE-2025-5352
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-23

Last updated on: 2025-11-26

Assigner: huntr.dev

Description
A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-23
Last Modified
2025-11-26
Generated
2026-06-16
AI Q&A
2025-08-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-5352
EUVD
EUVD-2025-25632
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lunary lunary to 1.9.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical stored Cross-Site Scripting (XSS) issue in the Analytics component of lunary-ai/lunary versions up to 1.9.23. It occurs because the environment variable NEXT_PUBLIC_CUSTOM_SCRIPT is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows an attacker who can control this environment variable during deployment or via server compromise to execute arbitrary JavaScript in all users' browsers.

Impact Analysis

The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. Arbitrary JavaScript execution in users' browsers can compromise user data and system integrity.

Detection Guidance

Detection involves checking if the vulnerable lunary-ai/lunary version (up to 1.9.23) is deployed and if the environment variable NEXT_PUBLIC_CUSTOM_SCRIPT is set and injected into the DOM. You can inspect the deployed application for the presence of this environment variable usage or the injected script. For example, you can search the deployed code or running environment for the variable with commands like `grep -r NEXT_PUBLIC_CUSTOM_SCRIPT /path/to/deployment` or check environment variables with `printenv | grep NEXT_PUBLIC_CUSTOM_SCRIPT`. Additionally, inspecting the frontend code or network traffic for injected scripts matching the custom script pattern may help. Since the vulnerability involves script injection via dangerouslySetInnerHTML, using browser developer tools to inspect the DOM for unexpected script tags or inline scripts related to this variable can also help detect exploitation. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade lunary-ai/lunary to version 1.9.25 or later, where the vulnerable code injecting the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable has been removed. If upgrading is not immediately possible, ensure that the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is not set or controlled by untrusted sources to prevent arbitrary script injection. Additionally, review deployment and server environments for any compromise that could allow manipulation of this environment variable. Removing or sanitizing this environment variable before deployment can reduce risk until the upgrade is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-5352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart