Cybersecurity Vulnerabilities

Critical Account Takeover Vulnerability Discovered in Lunary AI (CVE-2025-9803)

November 25, 2025 - By 

Overview

A critical security vulnerability, identified as CVE-2025-9803, has been discovered in lunary-ai/lunary version 1.9.34. This vulnerability allows for potential account takeover due to improper authentication within the Google OAuth integration. The application’s failure to properly validate the ‘aud’ (audience) field in Google-issued access tokens allows attackers to leverage tokens intended for other malicious applications to gain unauthorized access to legitimate user accounts. This issue has been addressed in version 1.9.35. If you are running an affected version, immediate action is required.

Technical Details

The vulnerability stems from the lack of proper validation of the ‘aud’ (audience) claim within the JSON Web Token (JWT) received during the Google OAuth authentication process. The ‘aud’ claim specifies the intended recipient of the token. By failing to verify that the token was specifically issued for the Lunary AI application, an attacker could potentially use a token obtained for another, potentially malicious, application to authenticate as a legitimate user on the Lunary AI platform. This bypasses standard security measures and grants unauthorized access.

Specifically, the code in lunary-ai/lunary version 1.9.34 does not contain logic to explicitly check if the ‘aud’ field in the Google OAuth token matches the expected value for the Lunary AI application. This oversight creates the opportunity for exploitation.

CVSS Analysis

Currently, a CVSS score and severity level have not been assigned for CVE-2025-9803. However, considering the potential for full account takeover, it is highly likely that this vulnerability will be classified as Critical upon evaluation. We strongly advise treating this vulnerability with the highest level of urgency.

Possible Impact

Successful exploitation of CVE-2025-9803 can lead to severe consequences, including:

  • Account Takeover: Attackers can gain complete control over user accounts.
  • Data Breach: Unauthorized access to sensitive user data stored within Lunary AI.
  • Service Disruption: Attackers could potentially disrupt the functionality of the Lunary AI platform.
  • Reputational Damage: A successful attack can significantly damage the reputation of Lunary AI.

Mitigation and Patch Steps

The vulnerability has been resolved in Lunary AI version 1.9.35. To mitigate the risk, it is strongly recommended that all users of lunary-ai/lunary upgrade to version 1.9.35 or later immediately. This update includes the necessary validation checks for the ‘aud’ field in Google OAuth tokens, preventing unauthorized access.

  1. Backup Your Data: Before upgrading, ensure you have a recent backup of your Lunary AI data.
  2. Upgrade to Version 1.9.35: Follow the official Lunary AI upgrade instructions to update your installation to version 1.9.35.
  3. Verify the Update: After upgrading, confirm that the application is running version 1.9.35 or later.
  4. Monitor Logs: Closely monitor your application logs for any suspicious activity.

References

lunary-ai Commit (Fix): https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91
Huntr Bounty: https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *