CVE-2025-9803
Last modified
CVE-2025-9803 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. EPSS estimates a 0.42% chance of exploitation in the next 30 days.
Description
lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | 1.9.34 |
References
- https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6Exploit, Third Party Advisory
- https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-9803?
How severe is CVE-2025-9803?
How do I fix CVE-2025-9803?
Are you affected by CVE-2025-9803?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST