CVE-2025-0281

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions 1.6.7 and earlier

Description A stored cross-site scripting (XSS) issue exists, allowing an attacker to inject malicious JavaScript into the SAML IdP XML metadata. This metadata is used to generate the SAML login redirect URL, which is then set as the value of window.location.href without proper validation or sanitization. This allows the attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

Recommendations For versions 1.6.7 and earlier, update to version 1.7.10 to resolve the issue. As a temporary workaround, consider validating and sanitizing the SAML login redirect URL to prevent malicious JavaScript execution. Restrict access to the SAML IdP XML metadata to minimize the risk of exploitation. Avoid using the window.location.href property with untrusted input until the issue is resolved.