CVE-2024-3502 – This vulnerability exposes account recovery has... (How to Fix)

Q: What is the severity of CVE-2024-3502?

CVE-2024-3502 has a CVSS score of 8.1 (HIGH). This vulnerability exposes account recovery hashes through API endpoints in lunary-ai/lunary, allowing authenticated users to access sensitive information that could facilitate account recovery attacks. All users of lunary-ai/lunary versions up to 1.2.5 are affected. The vulnerability requires authentication but exposes sensitive data that should be protected.

📋 TL;DR

This vulnerability exposes account recovery hashes through API endpoints in lunary-ai/lunary, allowing authenticated users to access sensitive information that could facilitate account recovery attacks. All users of lunary-ai/lunary versions up to 1.2.5 are affected. The vulnerability requires authentication but exposes sensitive data that should be protected.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: up to and including 1.2.5

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable versions, regardless of configuration.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use exposed recovery hashes to hijack user accounts, potentially gaining unauthorized access to sensitive AI/ML data and systems.

🟠

Likely Case

Authenticated users could harvest recovery hashes for other users, enabling targeted account recovery attacks or credential stuffing attacks.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial once authenticated - simply querying the vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.6

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74

Restart Required: Yes

Instructions:

1. Update lunary-ai/lunary to version 1.2.6 or later. 2. Restart the lunary service. 3. Verify the fix by checking that recovery hashes are no longer exposed in API responses.

🔧 Temporary Workarounds

API Response Filtering

all

Implement middleware or proxy to filter out recovery hash fields from API responses

Access Restriction

all

Temporarily restrict access to /v1/users/me and /v1/users/me/org endpoints

🧯 If You Can't Patch

Implement strict access controls and monitoring on the vulnerable endpoints
Rotate all user account recovery tokens and monitor for suspicious recovery attempts

🔍 How to Verify

Check if Vulnerable:

Authenticate to lunary and query GET /v1/users/me endpoint - check if response contains recovery hash fields.

Check Version:

Check lunary version in package.json or via application metadata endpoints

Verify Fix Applied:

After patching, query the same endpoints and verify recovery hash fields are no longer present in responses.

📡 Detection & Monitoring

Log Indicators:

Unusual volume of requests to /v1/users/me endpoints
Multiple failed account recovery attempts

Network Indicators:

Excessive API calls to user endpoints from single sources

SIEM Query:

source="lunary" AND (uri_path="/v1/users/me" OR uri_path="/v1/users/me/org") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-3502

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-201

Published: November 14, 2024

Last Updated: October 15, 2025

🔗 References

https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74 Patch
https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3502, you might also want to check these: