CVE-2024-4153

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.2

Description A vulnerability allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the "/v1/users" endpoint. By crafting a request with a new user's email and assigning them an admin role, attackers can invite additional users beyond the set limit. This could be exploited to add an unlimited number of users without adhering to the intended restrictions.

Recommendations For version 1.2.2, consider disabling the ability to assign the admin role to new users until a patch is available. Restrict access to the "/v1/users" endpoint to minimize the risk of exploitation. Avoid using the role parameter in the affected API endpoint until the issue is resolved.