Platform
python
Component
lunary-ai/lunary
Fixed in
1.9.35
CVE-2025-9803 is a critical account takeover vulnerability affecting lunary versions up to 1.9.35. This flaw stems from inadequate validation of the 'aud' (audience) field within Google OAuth access tokens. Consequently, malicious applications can leverage these tokens to compromise user accounts, leading to unauthorized access and potential data breaches. A fix is available in version 1.9.35.
The impact of CVE-2025-9803 is severe, enabling attackers to completely take over user accounts within the lunary application. An attacker could exploit this vulnerability by crafting a malicious application that requests Google OAuth authentication. Upon successful authentication, the attacker's application would receive an access token. Due to the missing 'aud' validation, this token can be used to impersonate the legitimate user, granting the attacker full access to their data and functionality within lunary. This could include accessing sensitive information, modifying user settings, or performing actions on behalf of the compromised user. The blast radius extends to all users of affected lunary versions who utilize Google OAuth for authentication.
CVE-2025-9803 was publicly disclosed on 2025-11-25. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it likely that a PoC will be developed and shared in the near future. The EPSS score is likely to be assessed as medium due to the ease of exploitation once a PoC is available.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-9803 is to immediately upgrade lunary to version 1.9.35 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to sensitive functionalities or implementing stricter authentication policies. While a WAF cannot directly address this code-level vulnerability, it could be configured to monitor for suspicious OAuth token activity. Thoroughly review and audit the Google OAuth integration code to ensure proper 'aud' validation is implemented in future development cycles. After upgrading, confirm the fix by attempting to authenticate with a known valid Google OAuth application and verifying that the 'aud' field is correctly validated.
Update the lunary-ai/lunary library to version 1.9.35 or higher. This version corrects the Google OAuth authentication vulnerability by properly verifying the 'aud' (audience) field in access tokens. The update will prevent potential account takeover by attackers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9803 is a critical vulnerability in lunary versions ≤1.9.35 that allows attackers to take over user accounts due to improper Google OAuth authentication verification.
You are affected if you are using lunary version 1.9.35 or earlier and utilize Google OAuth for authentication.
Upgrade lunary to version 1.9.35 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting access to sensitive functionalities.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it is likely to be exploited in the future.
Refer to the official lunary security advisory for detailed information and updates: [https://lunary.ai/security/advisories](https://lunary.ai/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.