Login Sign Up

CVE-2024-11301

6.5 MEDIUM

📋 TL;DR

This vulnerability allows attackers to overwrite existing evaluator data by submitting POST requests with duplicate slugs in the same project. It affects all users of lunary-ai/lunary versions before 1.6.3, potentially leading to data corruption and system functionality impairment.

💻 Affected Systems

Products:
  • lunary-ai/lunary
Versions: All versions before 1.6.3
Operating Systems: All platforms running lunary
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of lunary before version 1.6.3 are vulnerable regardless of configuration.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data corruption of evaluator configurations, potential loss of critical evaluation data, and disruption of AI model evaluation workflows.

🟠

Likely Case

Accidental or malicious overwriting of evaluator configurations causing data inconsistencies and operational issues.

🟢

If Mitigated

Minor data integrity issues that can be corrected through manual intervention and proper backup procedures.

🌐 Internet-Facing: MEDIUM - Requires authenticated access to the lunary application, but once authenticated, exploitation is straightforward.
🏢 Internal Only: MEDIUM - Internal users with access could accidentally or intentionally overwrite evaluator data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the lunary application and knowledge of existing evaluator slugs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.3

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd

Restart Required: Yes

Instructions:

1. Update lunary to version 1.6.3 or later. 2. Restart the lunary application. 3. Verify the unique constraint is now enforced on projectId+slug combinations.

🔧 Temporary Workarounds

Application-layer validation

all

Implement custom validation to check for existing slug+projectId combinations before creating new evaluators.

Database constraint

all

Add a unique constraint to the database schema for the combination of projectId and slug columns.

🧯 If You Can't Patch

  • Implement strict access controls to limit who can create evaluators.
  • Monitor logs for duplicate POST requests to evaluator creation endpoints.

🔍 How to Verify

Check if Vulnerable:

Check if you can create two evaluators with the same slug in the same project via API or UI.

Check Version:

Check package.json or run: npm list @lunary-ai/lunary

Verify Fix Applied:

Attempt to create duplicate evaluators with same slug in same project - should be rejected with error.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /api/evaluators with same slug and projectId
  • Database constraint violation errors

Network Indicators:

  • Repeated POST requests to evaluator creation endpoints with similar payloads

SIEM Query:

source="lunary" AND (method="POST" AND uri="/api/evaluators") | stats count by slug, projectId | where count > 1

📊 Metadata

CVE ID: CVE-2024-11301
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-837
EPSS Score: 0.04% exploit probability (13th percentile)
Published: March 20, 2025
Last Updated: July 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11301, you might also want to check these:

CVE-2025-62782 5.3

InventoryGui library versions 1.6.3-SNAPSHOT and earlier contain a vulnerability that allows item du...

Same vulnerability type (CWE-837)
CVE-2025-62784 5.3

This vulnerability allows item duplication in Minecraft servers using the InventoryGui library when ...

Same vulnerability type (CWE-837)
CVE-2025-58135 5.3

This vulnerability in Zoom Workplace Clients for Windows allows unauthenticated attackers to access ...

Same vulnerability type (CWE-837)