Stored Cross-Site Scripting Vulnerability in Lunary by Lunary-AI
CVE-2025-0281

5.4MEDIUM

Key Information:

Vendor

Lunary-ai

Status
Lunary-ai/lunary
Vendor
CVE Published:
20 March 2025

What is CVE-2025-0281?

A stored cross-site scripting vulnerability exists in Lunary versions 1.6.7 and earlier, where an attacker can inject harmful JavaScript into the SAML IdP XML metadata. This metadata is utilized to formulate the SAML login redirect URL, which is then improperly assigned to window.location.href without appropriate validation or sanitization. Consequently, this vulnerability permits the execution of arbitrary JavaScript within the user’s browser context, potentially leading to severe security breaches, including session hijacking and data theft. Users are advised to upgrade to version 1.7.10 to mitigate the risk.

Affected Version(s)

lunary-ai/lunary < 1.7.10

References

https://huntr.com/bounties/b3f4a655-5b08-4fef-be2c-aac870...
https://github.com/lunary-ai/lunary/commit/fa0fd7742ae029...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

CVSS V3.0

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.