CVE-2025-4779

Summary

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the v1/runs/ingest endpoint by adding an empty citations field, triggering a code path where dangerouslySetInnerHTML is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

Affected Software

VendorProductVersion RangeStatus
lunary-ailunary-ai/lunaryunspecified < 1.9.24affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References