CVE-2024-1599

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 0.3.0

Description The issue is related to insufficient server-side validation of user account types during project creation, allowing unauthorized project creation. Specifically, in the free account tier, users are limited to creating only two projects, but this restriction is only enforced in the web UI, not on the server side. This enables users to bypass the limitation and create an unlimited number of projects without upgrading their account or incurring additional charges. The vulnerability is due to the lack of checks in the project creation endpoint.

Recommendations For lunary-ai/lunary version 0.3.0, consider disabling the project creation endpoint until a patch is available to enforce server-side validation of user account types. Restrict access to the project creation functionality to minimize the risk of exploitation. Avoid using the free account tier for critical projects until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.