CVE-2025-0281 in lunary
Summary
by MITRE • 03/20/2025
A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of `window.location.href` without proper validation or sanitization. This vulnerability allows the attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions. The issue is fixed in version 1.7.10.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2025
This stored cross-site scripting vulnerability in lunary-ai/lunary affects versions 1.6.7 and earlier, representing a critical security flaw that enables attackers to execute malicious JavaScript code within user browsers. The vulnerability specifically resides in the handling of SAML Identity Provider XML metadata where unvalidated input is directly incorporated into SAML login redirect URLs. When the application generates the SAML authentication flow by setting window.location.href to a URL constructed from this metadata, it fails to properly sanitize or validate the injected content. This creates a persistent XSS attack vector where malicious JavaScript code embedded in the SAML metadata can be executed whenever users navigate to the vulnerable application interface.
The technical exploitation of this vulnerability follows a well-defined pattern that aligns with CWE-79 (Cross-site Scripting) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) classifications. Attackers can craft malicious SAML metadata containing JavaScript payloads that are stored within the application's metadata repository. When the application processes this metadata to construct redirect URLs, the malicious code becomes embedded in the window.location.href assignment, executing in the context of legitimate user sessions. This scenario represents a classic stored XSS attack where the malicious input is permanently stored and subsequently executed without proper sanitization, making it particularly dangerous as it affects all users who encounter the vulnerable redirect functionality.
The operational impact of this vulnerability extends beyond simple script execution, creating significant risks for user session security and data integrity. Successful exploitation could enable attackers to hijack user sessions, steal authentication tokens, access sensitive user data, or perform unauthorized actions on behalf of authenticated users. The vulnerability's persistence through the stored nature of the SAML metadata means that once injected, malicious code continues to execute for all affected users until the metadata is removed or the application is updated. This threat model aligns with ATT&CK technique T1531 (Signin Package Modification) and T1071.004 (Application Layer Protocol: DNS) when considering the broader attack chain involving session manipulation and data exfiltration. The vulnerability affects the application's authentication flow and user trust model, potentially compromising the entire security posture of systems relying on SAML-based single sign-on mechanisms.
Mitigation strategies for this vulnerability require immediate application updates to version 1.7.10 where the issue has been resolved through proper input validation and sanitization of SAML metadata. Organizations should implement comprehensive input validation for all SAML metadata fields, employing strict sanitization techniques that remove or encode potentially dangerous characters and script tags. Security teams should also consider implementing Content Security Policy (CSP) headers to provide additional protection against XSS attacks, though this serves as a secondary defense mechanism. Regular security auditing of third-party libraries and authentication components becomes essential, particularly for applications handling sensitive authentication flows. The fix implemented in version 1.7.10 demonstrates proper secure coding practices by ensuring that all user-provided metadata is validated and sanitized before being used in URL construction and browser navigation contexts, addressing the root cause of the vulnerability through proper input handling rather than reactive mitigation measures.