Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3760

CVE-2024-3760: Lunary Email Bombing DOS Vulnerability

CVE-2024-3760 is a denial of service flaw in Lunary that allows attackers to flood users with password reset emails due to missing rate limits. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-3760 Overview

CVE-2024-3760 affects lunary-ai/lunary version 1.2.7. The forgot password endpoint lacks rate limiting, enabling email bombing attacks. Attackers automate password reset requests to flood targeted accounts with reset emails.

The flood overwhelms victim mailboxes and burdens mail servers. Resource consumption can degrade performance or render mail services unavailable across an organization. The vulnerability is classified under CWE-770: Allocation of Resources Without Limits or Throttling.

Critical Impact

Unauthenticated remote attackers can disrupt email services organization-wide by automating forgot-password requests against the Lunary application.

Affected Products

  • lunary-ai/lunary version 1.2.7
  • Earlier Lunary releases without rate limiting on the forgot password endpoint
  • Deployments exposing the password reset functionality to the internet

Discovery Timeline

  • 2024-11-14 - CVE-2024-3760 published to NVD
  • 2024-11-18 - Last updated in NVD database

Technical Details for CVE-2024-3760

Vulnerability Analysis

The Lunary application exposes a forgot password endpoint that accepts password reset requests without throttling. An attacker can submit unlimited requests for a target email address. Each request triggers the application to generate and send a password reset email.

The issue is a denial-of-service condition affecting availability. Confidentiality and integrity are not directly impacted. The attack vector is network-based, requires no privileges, and no user interaction.

Downstream impact extends beyond the Lunary application. Mail servers handling outbound traffic from Lunary consume CPU, memory, and queue resources processing the flood. Victim inboxes fill rapidly, burying legitimate correspondence.

Root Cause

The root cause is the absence of rate limiting and request throttling on the forgot password handler. The application does not enforce per-IP, per-account, or global request quotas. It also does not implement CAPTCHA or proof-of-work challenges to deter automated abuse.

The upstream patch is tracked in Lunary commit 29374bb, which introduces request throttling on the affected route.

Attack Vector

An attacker scripts HTTP POST requests to the /forgot-password endpoint of a Lunary deployment. Each request includes the target user's email address. The attacker loops the request at high frequency from one or many source addresses.

The application processes each request, generates a reset token, and dispatches an email through the configured mail relay. The victim receives hundreds or thousands of reset emails. Mail server resources are consumed servicing the outbound flood. See the Huntr disclosure for additional context.

Detection Methods for CVE-2024-3760

Indicators of Compromise

  • High volume of POST requests to the forgot password endpoint from a single source or distributed sources within a short time window
  • Spike in outbound SMTP traffic from the Lunary application server to the mail relay
  • User reports of receiving repeated password reset emails they did not request
  • Mail queue backlog or degraded mail server response times correlated with Lunary activity

Detection Strategies

  • Monitor web server access logs for repeated requests to /forgot-password or equivalent reset routes targeting the same email parameter
  • Correlate application logs showing password reset token generation with outbound mail server send rates
  • Alert when password reset request volume exceeds baseline thresholds per email address or per source IP

Monitoring Recommendations

  • Instrument the forgot password endpoint with metrics for request rate, unique source IPs, and unique target accounts
  • Configure SIEM rules to flag bursts exceeding a defined threshold within a sliding window
  • Track mail server queue depth and SMTP rejection rates to identify resource exhaustion early

How to Mitigate CVE-2024-3760

Immediate Actions Required

  • Upgrade lunary-ai/lunary to a version containing the fix from commit 29374bb
  • Deploy a reverse proxy or web application firewall rule to rate-limit requests to the forgot password endpoint
  • Audit recent application and mail logs for evidence of prior abuse

Patch Information

The vendor remediated the issue in Lunary commit 29374bb10020712009c1ec238affe098112a51d6. Apply the upstream fix or upgrade to a Lunary release that includes this commit. Additional disclosure details are available on the Huntr bounty report.

Workarounds

  • Place the forgot password endpoint behind a WAF or API gateway that enforces per-IP and per-account rate limits
  • Add CAPTCHA or equivalent bot mitigation in front of the password reset form
  • Throttle outbound SMTP send rates from the application to limit downstream mail server impact
bash
# Example nginx rate limit configuration for the forgot password route
http {
    limit_req_zone $binary_remote_addr zone=forgot_pw:10m rate=5r/m;

    server {
        location /api/auth/forgot-password {
            limit_req zone=forgot_pw burst=3 nodelay;
            proxy_pass http://lunary_backend;
        }
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne