CVE-2025-5352

CRITICAL

lunary < 1.9.25 - Stored Cross-Site Scripting via NEXT_PUBLIC_CUSTOM_SCRIPT Environment Variable

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-5352. PoCs published by sahiloj.

AI-analyzed exploit summary The repository describes a stored XSS vulnerability in lunary-ai/lunary's Analytics component, where the NEXT_PUBLIC_CUSTOM_SCRIPT variable is injected into the DOM using dangerouslySetInnerHTML without sanitization. An attacker controlling this variable can execute arbitrary JavaScript in users' browsers.

Description

A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25.

Exploits (1)

nomisec WRITEUP 1 stars

by sahiloj · poc

https://github.com/sahiloj/CVE-2025-5352

View Code ZIP pw:eip

The repository describes a stored XSS vulnerability in lunary-ai/lunary's Analytics component, where the NEXT_PUBLIC_CUSTOM_SCRIPT variable is injected into the DOM using dangerouslySetInnerHTML without sanitization. An attacker controlling this variable can execute arbitrary JavaScript in users' browsers.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: lunary-ai/lunary (version not specified)

No auth needed

Prerequisites: Control over NEXT_PUBLIC_CUSTOM_SCRIPT variable during deployment or via server compromise

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/e2e43e88cecf742bacb639ab880507bbfdfd065c

Exploit, Patch, Third Party Advisory

https://huntr.com/bounties/f1d3dbce-3c3e-480e-b81e-0e8afa05c491

Scores

CVSS v3 9.6

EPSS 0.0046

EPSS Percentile 36.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (1)

lunary/lunary < 1.9.25

Published Aug 23, 2025

Tracked Since Feb 18, 2026