Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3501

CVE-2024-3501: Lunary Information Disclosure Vulnerability

CVE-2024-3501 is an information disclosure flaw in Lunary that exposes single-use tokens through API endpoints, allowing unauthorized actions. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-3501 Overview

CVE-2024-3501 is an information disclosure vulnerability in lunary-ai/lunary versions up to and including 1.2.5. The application returns single-use tokens within the response bodies of the GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens are designed for sensitive operations such as password resets and account verification. Exposing them in user-facing queries allows unauthorized actors who obtain the responses to perform privileged actions on behalf of legitimate users. The flaw is tracked under [CWE-922: Insecure Storage of Sensitive Information]. Lunary addressed the issue in version 1.2.6 by removing token exposure from these endpoints.

Critical Impact

An attacker who captures the API response can hijack password reset or account verification workflows and take over user accounts.

Affected Products

  • Lunary AI lunary versions up to and including 1.2.5
  • API endpoint GET /v1/users/me
  • API endpoint GET /v1/users/me/org

Discovery Timeline

  • 2024-11-14 - CVE-2024-3501 published to NVD
  • 2025-01-30 - Last updated in NVD database

Technical Details for CVE-2024-3501

Vulnerability Analysis

The vulnerability stems from improper handling of sensitive authentication artifacts in API responses. Lunary embeds single-use tokens, normally reserved for out-of-band actions such as password reset emails or account verification links, inside the JSON payload returned by user profile endpoints. Any client or intermediary that observes the response gains access to these tokens. An attacker with the ability to view this traffic can replay the tokens to reset passwords or confirm account changes, resulting in account takeover. The flaw maps to [CWE-922], which covers insecure storage and exposure of sensitive information to unauthorized actors.

Root Cause

The root cause is over-inclusive serialization of the user object. The backend selects all user attributes from the database, including columns holding single-use tokens, and returns them directly in the API response. The code does not filter or redact sensitive fields before serialization. The fix in commit 17e95f6c99c7d5ac4ee5451c5857b97a12892c74 explicitly removes these token fields from the response payload for /v1/users/me and /v1/users/me/org.

Attack Vector

Exploitation requires network access and a low-privileged authenticated session. An attacker authenticated as any user can call GET /v1/users/me or GET /v1/users/me/org and read the single-use token from the response body. Tokens may also leak through browser caches, proxy logs, or client-side telemetry. With a valid reset token, the attacker submits it to the password reset endpoint and sets a new password for the targeted account.

No verified exploit code is available. Refer to the GitHub commit details and the Huntr bounty report for the patch diff and disclosure write-up.

Detection Methods for CVE-2024-3501

Indicators of Compromise

  • Unexpected GET /v1/users/me or GET /v1/users/me/org requests followed by password reset confirmations from a different IP or user agent.
  • API responses from vulnerable Lunary versions containing token-like fields such as singleUseToken, recoveryToken, or verificationToken.
  • Password changes or email changes that lack a corresponding user-initiated reset request in application logs.

Detection Strategies

  • Inspect HTTP response bodies from Lunary instances for sensitive token fields and alert on their presence.
  • Correlate calls to /v1/users/me and /v1/users/me/org with subsequent password reset or verification endpoint calls within short time windows.
  • Audit Lunary deployments for version strings at or below 1.2.5 using software inventory and reachable HTTP banners.

Monitoring Recommendations

  • Forward Lunary application and reverse-proxy logs to a centralized analytics platform and retain at least 90 days of request and response metadata.
  • Alert on anomalous account recovery activity, including reset confirmations from new geolocations or user agents.
  • Track outbound API consumption patterns from third-party integrations that query /v1/users/me endpoints.

How to Mitigate CVE-2024-3501

Immediate Actions Required

  • Upgrade Lunary to version 1.2.6 or later, which removes single-use tokens from user-facing API responses.
  • Invalidate all outstanding single-use tokens issued by vulnerable instances and force password resets for active users.
  • Review application and proxy logs for prior access to /v1/users/me and /v1/users/me/org and identify accounts that may need additional review.

Patch Information

The fix is delivered in Lunary 1.2.6 via commit 17e95f6c99c7d5ac4ee5451c5857b97a12892c74. The patch removes sensitive token fields from the response serialization for the affected endpoints. See the GitHub commit details for the exact code change.

Workarounds

  • Restrict access to the Lunary API behind authenticated reverse proxies and IP allowlists until the upgrade is applied.
  • Strip sensitive fields from /v1/users/me and /v1/users/me/org responses at the proxy layer using response rewriting rules.
  • Shorten the lifetime of single-use tokens in configuration to reduce the window of exploitability.
bash
# Configuration example: upgrade Lunary to the patched version
npm install lunary@1.2.6
# or, for self-hosted deployments
git fetch origin
git checkout 17e95f6c99c7d5ac4ee5451c5857b97a12892c74
npm ci && npm run build && npm run start

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne