Stored Cross-Site Scripting Vulnerability in Lunary by Lunary-AI
CVE-2025-5352
Key Information:
- Vendor
Lunary-ai
- Status
- Vendor
- CVE Published:
- 23 August 2025
Badges
What is CVE-2025-5352?
A stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of Lunary by Lunary-AI, affecting versions up to 1.9.23. This vulnerability arises from the use of the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable, which is directly injected into the DOM via dangerouslySetInnerHTML without sufficient sanitization or validation. If an attacker gains control of the environment variable—possibly through deployment exploits or server breaches—they can execute arbitrary JavaScript in users' browsers. This poses several serious risks, including account takeover, data theft, malware dissemination, and ongoing threats that could impact all users until remediation of the environment variable is performed. The issue has been addressed in version 1.9.25.
Affected Version(s)
lunary-ai/lunary < 1.9.25
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.