Vulnerability Description
lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.9.24 |
Related Weaknesses (CWE)
References
- https://github.com/lunary-ai/lunary/commit/18750294a76ff6c0f3f1b6af4ac1a23399836Patch
- https://huntr.com/bounties/c603b64e-5171-4eed-8983-a7f656ce2c4dExploitPatchThird Party Advisory
FAQ
What is CVE-2025-4779?
CVE-2025-4779 is a vulnerability with a CVSS score of 6.1 (MEDIUM). lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding ...
How severe is CVE-2025-4779?
CVE-2025-4779 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-4779?
Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.