CVE-2025-5352

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-5352
A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/lunary-ai/lunary/commit/e2e43e88cecf742bacb639ab880507bbfdfd065c
https://huntr.com/bounties/f1d3dbce-3c3e-480e-b81e-0e8afa05c491
Configurations

No configuration.

History

25 Aug 2025, 20:24

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad crítica de cross-site scripting (XSS) almacenado en el componente Analytics de las versiones de lunary-ai/lunary hasta la 1.9.23. En esta vulnerabilidad, la variable de entorno NEXT_PUBLIC_CUSTOM_SCRIPT se inyecta directamente en el DOM mediante dangerouslySetInnerHTML sin ninguna validación ni depuración. Esto permite la ejecución arbitraria de JavaScript en los navegadores de todos los usuarios si un atacante puede controlar la variable de entorno durante la implementación o mediante la vulneración del servidor. Esta vulnerabilidad puede provocar la apropiación total de cuentas, la exfiltración de datos, la distribución de malware y ataques persistentes que afectan a todos los usuarios hasta que se limpie la variable de entorno. El problema se ha corregido en la versión 1.9.25.

23 Aug 2025, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-23 07:15

Updated : 2025-08-25 20:24

NVD link : CVE-2025-5352

Mitre link : CVE-2025-5352

CVE.ORG link : CVE-2025-5352

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')