CVE-2025-4962

An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/e977d06f18a615963ffbe07e5bdff70218c29907
https://huntr.com/bounties/137a0aef-e243-49d4-832f-8e56056cba1a

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se identificó una vulnerabilidad de Referencia Directa a Objetos Insegura (IDOR) en el endpoint `POST /v1/templates` de la API de Lunary, que afecta a versiones hasta la 0.8.8. Esta vulnerabilidad permite a usuarios autenticados crear plantillas en el proyecto de otro usuario modificando el parámetro de consulta `projectId`. La causa principal de este problema es la ausencia de validación del lado del servidor para garantizar que el usuario autenticado posea el `projectId` especificado. Esta vulnerabilidad se ha solucionado en la versión 1.9.23.

18 Aug 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-18 14:15

Updated : 2026-06-17 09:34

NVD link : CVE-2025-4962

Mitre link : CVE-2025-4962

CVE.ORG link : CVE-2025-4962

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-4962", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-4962", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T14:00:34.991769Z"}}], "cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "affected": [{"source": "security@huntr.dev", "affectedData": [{"vendor": "lunary-ai", "product": "lunary-ai/lunary", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.9.23", "versionType": "custom"}]}]}], "published": "2025-08-18T14:15:30.050", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/e977d06f18a615963ffbe07e5bdff70218c29907", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/137a0aef-e243-49d4-832f-8e56056cba1a", "source": "security@huntr.dev"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de Referencia Directa a Objetos Insegura (IDOR) en el endpoint `POST /v1/templates` de la API de Lunary, que afecta a versiones hasta la 0.8.8. Esta vulnerabilidad permite a usuarios autenticados crear plantillas en el proyecto de otro usuario modificando el par\u00e1metro de consulta `projectId`. La causa principal de este problema es la ausencia de validaci\u00f3n del lado del servidor para garantizar que el usuario autenticado posea el `projectId` especificado. Esta vulnerabilidad se ha solucionado en la versi\u00f3n 1.9.23."}], "lastModified": "2026-06-17T09:34:23.937", "sourceIdentifier": "security@huntr.dev"}