CVE-2025-5352 Overview
A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23. The vulnerability occurs because the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise.
Critical Impact
This vulnerability enables complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the malicious environment variable is removed.
Affected Products
- Lunary versions up to and including 1.9.23
- Lunary Analytics component
- All deployments using the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable
Discovery Timeline
- 2025-08-23 - CVE-2025-5352 published to NVD
- 2025-11-26 - Last updated in NVD database
Technical Details for CVE-2025-5352
Vulnerability Analysis
This stored XSS vulnerability resides in the Analytics component of Lunary, an AI observability platform. The root issue stems from the unsafe use of React's dangerouslySetInnerHTML property to inject user-controllable content directly into the rendered page without proper sanitization.
When the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is configured, its contents are rendered directly into the DOM, bypassing React's built-in XSS protections. An attacker who gains control over this environment variable—either through deployment pipeline compromise, configuration injection, or server access—can inject arbitrary JavaScript that executes in the context of every authenticated user's browser session.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a failure to properly sanitize user-supplied input before including it in dynamically generated web content.
Root Cause
The vulnerability exists because the application directly embeds the value of NEXT_PUBLIC_CUSTOM_SCRIPT into the page using dangerouslySetInnerHTML without implementing any input validation, content sanitization, or Content Security Policy restrictions. This React pattern explicitly bypasses the framework's built-in XSS protections and should only be used with trusted, pre-sanitized content.
Attack Vector
The attack requires network access and user interaction. An attacker must first gain the ability to modify the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable, which could be achieved through:
- Compromising the deployment pipeline or CI/CD configuration
- Gaining access to the server's environment configuration
- Exploiting misconfigured environment variable management systems
- Social engineering deployment personnel
Once the malicious script is injected, it executes automatically in every user's browser when they access the Analytics component. The scope is changed, meaning the attack can affect resources beyond the vulnerable component, leading to session hijacking, credential theft, and lateral movement within the application.
The vulnerability mechanism involves the dangerouslySetInnerHTML React property being used to inject the environment variable contents directly into the page. When a malicious payload is placed in NEXT_PUBLIC_CUSTOM_SCRIPT, it renders as executable JavaScript in the browser context of all users accessing the affected component. For detailed technical analysis, see the Huntr Bounty Listing.
Detection Methods for CVE-2025-5352
Indicators of Compromise
- Unexpected or unauthorized values in the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable
- Suspicious JavaScript code appearing in page source when viewing the Analytics component
- Unusual outbound network connections from user browsers to unknown domains
- Reports of session hijacking, unauthorized account access, or credential theft
Detection Strategies
- Review environment variable configurations for any unexpected script content in NEXT_PUBLIC_CUSTOM_SCRIPT
- Monitor deployment pipelines and CI/CD systems for unauthorized configuration changes
- Implement file integrity monitoring on server configuration files
- Analyze browser console logs and network traffic for signs of malicious script execution
Monitoring Recommendations
- Enable logging and alerting for changes to environment variables in production deployments
- Implement Content Security Policy (CSP) headers to restrict script sources and detect violations
- Monitor for unusual authentication patterns that may indicate session hijacking
- Set up alerts for configuration drift in deployment environments
How to Mitigate CVE-2025-5352
Immediate Actions Required
- Upgrade Lunary to version 1.9.25 or later immediately
- Audit the current value of NEXT_PUBLIC_CUSTOM_SCRIPT for any malicious content
- Review access logs for unauthorized modifications to environment configurations
- Force re-authentication for all users if compromise is suspected
Patch Information
The vulnerability is fixed in Lunary version 1.9.25. The security patch is available via the GitHub commit. Organizations should update to the patched version as soon as possible to eliminate the vulnerability.
Workarounds
- Remove or clear the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable until patching is complete
- Implement strict access controls for environment variable management and deployment configurations
- Deploy Content Security Policy headers to restrict inline script execution
- Monitor environment configurations for unauthorized changes using infrastructure-as-code validation
If immediate patching is not possible, administrators should ensure the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is either unset or contains only trusted, validated content. Restricting access to deployment systems and implementing configuration change monitoring provides additional defense-in-depth protection.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
