CVE-2024-6862

HIGH

lunary < 1.4.10 - Cross-Site Request Forgery via Overly Permissive CORS Settings

Title source: llm

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54

Exploit, Third Party Advisory

https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f

Scores

CVSS v3 8.1

EPSS 0.0033

EPSS Percentile 56.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (3)

lunary/backend 0 - 1.4.10npm

lunary/lunary 1.2.34

npm/lunary 0 - 1.4.10npm

Published Sep 13, 2024

Tracked Since Feb 18, 2026