Stored Cross-Site Scripting Vulnerability in Lunary by Lunary-AI
CVE-2025-5352

8.1HIGH

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 23 August 2025

What is CVE-2025-5352?

A stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of Lunary by Lunary-AI, affecting versions up to 1.9.23. This vulnerability arises from the use of the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable, which is directly injected into the DOM via dangerouslySetInnerHTML without sufficient sanitization or validation. If an attacker gains control of the environment variable—possibly through deployment exploits or server breaches—they can execute arbitrary JavaScript in users' browsers. This poses several serious risks, including account takeover, data theft, malware dissemination, and ongoing threats that could impact all users until remediation of the environment variable is performed. The issue has been addressed in version 1.9.25.

Affected Version(s)

lunary-ai/lunary < 1.9.25

References

https://huntr.com/bounties/f1d3dbce-3c3e-480e-b81e-0e8afa...

https://github.com/lunary-ai/lunary/commit/e2e43e88cecf74...

CVSS V3.0

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 23, 2025
Vulnerability Reserved
May 30, 2025

Lunary-ai

What is CVE-2025-5352?

Affected Version(s)

References

CVSS V3.0

Timeline