A critical stored cross-site scripting (XSS) vulnerability in lunary-ai/lunary allows an unauthenticated attacker to inject malicious scripts, potentially leading to session hijacking or data theft.

An unauthenticated attacker can exploit a stored cross-site scripting (XSS) vulnerability by injecting malicious JavaScript into the /v1/runs/ingest endpoint. Because the script is stored on the server, it will execute in the browser of any user who subsequently views the compromised data.

A successful exploit of this vulnerability could allow an attacker to hijack authenticated user sessions, steal sensitive data such as credentials, or deface the application. The assigned CVSS score of 9.1 (Critical) reflects the high impact of this flaw, as it can be initiated by an unauthenticated attacker and affects the integrity and confidentiality of user data.

Immediate Action: Administrators must immediately upgrade all vulnerable instances of lunary-ai/lunary to version 1.9.24 or a later release to mitigate this vulnerability.

Proactive Monitoring: Review web server and application logs for suspicious POST requests to the /v1/runs/ingest endpoint containing script tags or other malicious HTML payloads.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block common XSS attack patterns as a temporary defense layer if immediate patching is not feasible.

Public Exploit Available: Information not available

Given the critical severity (CVSS 9.1) and the unauthenticated nature of this stored XSS vulnerability, immediate action is required. We strongly recommend prioritizing the deployment of the security update to version 1.9.24 or newer to prevent the potential compromise of user accounts and application data.