CVE-2025-5352
📋 TL;DR
A critical stored XSS vulnerability in lunary-ai/lunary Analytics component allows arbitrary JavaScript execution in all users' browsers when attackers control the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable. This affects all users of versions up to 1.9.23 and can lead to complete account takeover and data theft. The vulnerability persists until the environment variable is cleaned or the system is patched.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, exfiltration of sensitive data, malware distribution to all users, and persistent control over the application until environment variable cleanup.
Likely Case
Session hijacking, credential theft, and data exfiltration from authenticated users, leading to account compromise and potential lateral movement.
If Mitigated
Limited impact with proper environment variable access controls and monitoring, though XSS payload could still execute if variable is compromised.
🎯 Exploit Status
Exploitation requires control of environment variable through deployment process or server compromise, but payload execution affects all users without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.25
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/e2e43e88cecf742bacb639ab880507bbfdfd065c
Restart Required: Yes
Instructions:
1. Update lunary to version 1.9.25 or later. 2. Restart the application. 3. Verify the fix by checking that dangerouslySetInnerHTML is no longer used for NEXT_PUBLIC_CUSTOM_SCRIPT injection.
🔧 Temporary Workarounds
Remove or Sanitize Environment Variable
allRemove the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable or implement server-side sanitization before injection.
unset NEXT_PUBLIC_CUSTOM_SCRIPT
export NEXT_PUBLIC_CUSTOM_SCRIPT=''
Implement Content Security Policy
allAdd strict CSP headers to prevent inline script execution and limit script sources.
Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement strict access controls on environment variable management and deployment processes.
- Monitor and audit all changes to environment variables, especially NEXT_PUBLIC_CUSTOM_SCRIPT.
🔍 How to Verify
Check if Vulnerable:
Check if version is ≤1.9.23 and inspect source code for dangerouslySetInnerHTML usage with NEXT_PUBLIC_CUSTOM_SCRIPT.Check Version:
npm list lunary-ai/lunary or check package.json versionVerify Fix Applied:
Verify version is ≥1.9.25 and check commit e2e43e88cecf742bacb639ab880507bbfdfd065c is applied.📡 Detection & Monitoring
Log Indicators:
- Unexpected changes to environment variables
- Deployment logs showing environment variable modifications
- Application errors related to script execution
Network Indicators:
- Unusual outbound connections from user browsers
- Requests to unexpected domains from application pages
SIEM Query:
source="application_logs" AND ("NEXT_PUBLIC_CUSTOM_SCRIPT" OR "dangerouslySetInnerHTML")