CVE-2025-4962
📋 TL;DR
An Insecure Direct Object Reference (IDOR) vulnerability in Lunary API versions up to 0.8.8 allows authenticated users to create templates in other users' projects by manipulating the projectId parameter. This occurs because the server doesn't verify that the authenticated user owns the specified project. All users of affected Lunary API versions are impacted.
💻 Affected Systems
- Lunary API
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could create, modify, or delete templates across all projects in the system, potentially disrupting operations or injecting malicious content.
Likely Case
Users accidentally or intentionally creating templates in projects they shouldn't have access to, causing data integrity issues and unauthorized data access.
If Mitigated
With proper access controls, impact is limited to minor data integrity issues within authorized project boundaries.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial with basic HTTP parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.23
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/e977d06f18a615963ffbe07e5bdff70218c29907
Restart Required: Yes
Instructions:
1. Update Lunary to version 1.9.23 or later. 2. Restart the Lunary service. 3. Verify the fix by testing the POST /v1/templates endpoint with unauthorized projectId values.
🔧 Temporary Workarounds
Implement server-side authorization middleware
allAdd authorization checks before processing template creation requests
# Add authorization logic in your API middleware to verify user owns projectId
Rate limiting and monitoring
allImplement rate limiting on POST /v1/templates endpoint and monitor for unusual patterns
# Configure rate limiting: e.g., 10 requests/minute per user
🧯 If You Can't Patch
- Implement WAF rules to detect and block suspicious projectId parameter manipulation
- Add additional logging and monitoring for template creation events across different projects
🔍 How to Verify
Check if Vulnerable:
Test POST /v1/templates endpoint with authenticated user token and projectId belonging to another user. If template creation succeeds, system is vulnerable.Check Version:
Check Lunary version in package.json or via API health endpoint if availableVerify Fix Applied:
Repeat the vulnerable test with version 1.9.23. Template creation should fail with proper authorization error.📡 Detection & Monitoring
Log Indicators:
- Multiple template creation requests with different projectId values from same user
- Template creation in projects not owned by requesting user
Network Indicators:
- POST requests to /v1/templates with projectId parameter values outside user's normal range
SIEM Query:
source="lunary" AND endpoint="/v1/templates" AND projectId NOT IN (user_projects)