CVE-2025-9803

Published: Nov 25, 2025

Modified: Nov 25, 2025

PUBLISHED

CVSS v3.0

9.3

CRITICAL

Description

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.

Vendor	Product	Versions
lunary-ai	lunary-ai/lunary	affected `unspecified - < 1.9.35`

Weaknesses (CWE)

CWE-287

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6

https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-9803

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References