CVE-2024-5133
📋 TL;DR
This vulnerability allows authenticated users to capture password recovery tokens from other users via the API, enabling account takeover by resetting passwords without consent. It affects all users of lunary-ai/lunary version 1.2.4 where the vulnerable endpoint is accessible.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user in the system, leading to data theft, privilege escalation, and unauthorized access to sensitive information.
Likely Case
Targeted account takeover of specific users by malicious insiders or compromised accounts, resulting in unauthorized access and potential data exfiltration.
If Mitigated
Limited impact with proper access controls and monitoring, though the vulnerability still exposes sensitive tokens.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via API calls to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version
Vendor Advisory: https://huntr.com/bounties/6057598d-93c4-4a94-bb80-5bd508013c5b
Restart Required: Yes
Instructions:
1. Update lunary-ai/lunary to the patched version. 2. Restart the application. 3. Verify the fix by checking that recovery tokens are no longer exposed in API responses.
🔧 Temporary Workarounds
Disable or restrict access to vulnerable endpoint
allTemporarily block or limit access to the GET /v1/users/me/org endpoint to prevent token exposure.
# Use firewall rules or API gateway to restrict access
# Example: iptables -A INPUT -p tcp --dport <api_port> -m string --string "/v1/users/me/org" --algo bm -j DROP
Modify API response filtering
allImplement middleware or filters to remove recovery_token from API responses before they are sent.
# Add code to filter out recovery_token attribute in the API response
# Example in Node.js: delete userObject.recovery_token;
🧯 If You Can't Patch
- Implement strict access controls and monitoring on the vulnerable endpoint to detect and block exploitation attempts.
- Enforce strong authentication and session management to reduce the risk of account compromise.
🔍 How to Verify
Check if Vulnerable:
Authenticate to the application and call the GET /v1/users/me/org endpoint. Check if the response includes recovery_token in user objects.Check Version:
Check the application version via its admin interface or configuration files; for lunary, refer to package.json or similar.Verify Fix Applied:
After patching, call the same endpoint and confirm that recovery_token is no longer present in the API response.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to GET /v1/users/me/org from non-admin users
- Multiple password reset requests for different accounts from a single source
Network Indicators:
- Increased traffic to the vulnerable endpoint
- Patterns of requests harvesting user data
SIEM Query:
source="api_logs" AND uri="/v1/users/me/org" AND user_role!="admin" | stats count by src_ip