Plattform
python
Komponente
lunary-ai/lunary
Behoben in
1.9.35
CVE-2025-9803 is a critical account takeover vulnerability affecting lunary versions up to 1.9.35. This flaw stems from inadequate validation of the 'aud' (audience) field within Google OAuth access tokens. Consequently, malicious applications can leverage these tokens to compromise user accounts, leading to unauthorized access and potential data breaches. A fix is available in version 1.9.35.
The impact of CVE-2025-9803 is severe, enabling attackers to completely take over user accounts within the lunary application. An attacker could exploit this vulnerability by crafting a malicious application that requests Google OAuth authentication. Upon successful authentication, the attacker's application would receive an access token. Due to the missing 'aud' validation, this token can be used to impersonate the legitimate user, granting the attacker full access to their data and functionality within lunary. This could include accessing sensitive information, modifying user settings, or performing actions on behalf of the compromised user. The blast radius extends to all users of affected lunary versions who utilize Google OAuth for authentication.
CVE-2025-9803 was publicly disclosed on 2025-11-25. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it likely that a PoC will be developed and shared in the near future. The EPSS score is likely to be assessed as medium due to the ease of exploitation once a PoC is available.
Organizations and individuals using lunary for AI-powered tasks and relying on Google OAuth for authentication are at risk. This includes users who have not yet upgraded to the latest version (1.9.35) and those who have not implemented additional security measures to mitigate the risk of account takeover.
• python / server: Examine lunary application logs for OAuth authentication attempts with invalid 'aud' values. Use Python's requests library to test the OAuth endpoint and verify 'aud' validation.
import requests
# Replace with your lunary instance URL
url = 'https://your-lunary-instance/oauth/token'
# Replace with your client ID and secret
client_id = 'your_client_id'
client_secret = 'your_client_secret'
# Malformed token
token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJleGFtcGxlIiwibmJmIjoxNjk4NzQ4ODAwLCJleHAiOjE2OTg3NzA4MDAsImlnaGxpZmViVXNlcm5hbWUiOiJodHRwczovL3dvc3RhbmQuZ2UiLCJzY29wZSI6WyJtYWljYWwtdG9rZW4uY29jkzsifQ.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = {'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion': token, 'client_id': client_id, 'client_secret': client_secret}
response = requests.post(url, headers=headers, data=data)
print(response.status_code)
print(response.text)• generic web: Monitor access logs for requests to the OAuth token endpoint with unusual parameters or user agents. Check for unusual patterns in OAuth authentication attempts.
disclosure
Exploit-Status
EPSS
0.12% (31% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-9803 is to immediately upgrade lunary to version 1.9.35 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to sensitive functionalities or implementing stricter authentication policies. While a WAF cannot directly address this code-level vulnerability, it could be configured to monitor for suspicious OAuth token activity. Thoroughly review and audit the Google OAuth integration code to ensure proper 'aud' validation is implemented in future development cycles. After upgrading, confirm the fix by attempting to authenticate with a known valid Google OAuth application and verifying that the 'aud' field is correctly validated.
Actualice la biblioteca lunary-ai/lunary a la versión 1.9.35 o superior. Esta versión corrige la vulnerabilidad de autenticación OAuth de Google al verificar correctamente el campo 'aud' en los tokens de acceso. La actualización evitará la posible toma de control de cuentas por parte de atacantes.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-9803 is a critical vulnerability in lunary versions ≤1.9.35 that allows attackers to take over user accounts due to improper Google OAuth authentication verification.
You are affected if you are using lunary version 1.9.35 or earlier and utilize Google OAuth for authentication.
Upgrade lunary to version 1.9.35 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting access to sensitive functionalities.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it is likely to be exploited in the future.
Refer to the official lunary security advisory for detailed information and updates: [https://lunary.ai/security/advisories](https://lunary.ai/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.