lunary-ai lunary Analytics Component Stored Cross-Site Scripting Vulnerability

A critical stored Cross-Site Scripting (XSS) vulnerability has been identified in the Analytics component of lunary-ai/lunary, affecting versions through 1.9.23. The vulnerability arises because the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is injected directly into the DOM using dangerouslySetInnerHTML, without any sanitization or validation. This flaw allows for the execution of arbitrary JavaScript in the browsers of all users. If an attacker can manipulate the environment variable during deployment or through a server compromise, it could lead to severe consequences, including complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is removed.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the user. This could lead to session hijacking, with attackers stealing authentication tokens and session cookies from users. Such actions would enable attackers to impersonate users and access their accounts. Additionally, the vulnerability could be exploited to exfiltrate sensitive data, including API keys and project information, or to distribute malware by redirecting users to malicious sites or prompting them to download harmful software.

Reproduction

To reproduce this vulnerability, set a malicious environment variable as the NEXT_PUBLIC_CUSTOM_SCRIPT. This requires access to the server or deployment environment. Once the variable is set, start the application and navigate to any page. The injected script will execute immediately. Alternatively, the same effect can be achieved by exploiting a compromised CI/CD pipeline or through server-side template injection in deployment scripts.

Remediation

Users should update to lunary-ai/lunary version 1.9.25 or later, where this vulnerability has been fixed.