CVE-2025-5352

CRITICAL EPSS 36.4%
Published Aug 23, 202510mo ago · Modified Jun 17, 20261w ago
9.6 CVSS 3.1
Critical
Find Similar
Published Aug 23, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25.

CVSS Details

Base Score
9.6
Exploitability
2.8
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
36.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
lunarylunary* <1.9.25

References 2

  • github.com https://github.com/lunary-ai/lunary/commit/e2e43e88cecf742bacb639ab880507bbfdfd065c
    Patch
  • huntr.com https://huntr.com/bounties/f1d3dbce-3c3e-480e-b81e-0e8afa05c491
    ExploitPatchThird Party Advisory

Remediation

  • github.com https://github.com/lunary-ai/lunary/commit/e2e43e88cecf742bacb639ab880507bbfdfd065c
    Patch
  • huntr.com https://huntr.com/bounties/f1d3dbce-3c3e-480e-b81e-0e8afa05c491
    ExploitPatchThird Party Advisory