CVE-2025-9803 Overview
CVE-2025-9803 is an authentication bypass vulnerability in lunary-ai/lunary version 1.9.34 that enables account takeover through improper validation in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in access tokens issued by Google, a critical security check that ensures tokens are intended for the legitimate application. This oversight allows attackers to leverage tokens issued to malicious applications to gain unauthorized access to user accounts on the Lunary platform.
Critical Impact
Attackers can exploit this OAuth misconfiguration to completely take over user accounts by using access tokens from malicious applications, potentially gaining full access to sensitive AI/LLM observability data and configurations.
Affected Products
- lunary-ai/lunary version 1.9.34
- Lunary AI observability platform deployments using Google OAuth authentication
- Self-hosted and cloud instances running vulnerable versions
Discovery Timeline
- 2025-11-25 - CVE-2025-9803 published to NVD
- 2025-12-30 - Last updated in NVD database
Technical Details for CVE-2025-9803
Vulnerability Analysis
This authentication bypass vulnerability stems from a fundamental flaw in OAuth 2.0 token validation within the Lunary application. When a user authenticates via Google OAuth, the application receives an access token that contains several claims, including the 'aud' (audience) field. This field specifies which application the token was originally issued for and serves as a critical security control to prevent token misuse across different applications.
The vulnerable code in Lunary 1.9.34 accepts Google OAuth tokens without verifying that the audience claim matches the legitimate Lunary application's client ID. This creates a scenario where an attacker can register their own malicious OAuth application with Google, obtain a valid access token from an unsuspecting user (perhaps through a phishing attack or malicious app), and then replay that token against Lunary's authentication endpoint.
The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization), as it represents both a failure in the authentication mechanism and improper access control enforcement.
Root Cause
The root cause is the missing validation of the 'aud' (audience) claim in the Google OAuth token verification process. OAuth 2.0 security best practices require applications to verify that received tokens were specifically issued for their application by checking that the audience field matches their registered client ID. Without this check, the authentication flow cannot distinguish between legitimate tokens issued for Lunary and tokens that were issued for completely different applications but happen to belong to the same Google user.
Attack Vector
The attack follows a token confusion pattern that exploits the missing audience validation:
Attacker Setup: The attacker creates a malicious OAuth application registered with Google, obtaining their own client ID and secret.
User Interaction: The attacker lures a target user to their malicious application and requests Google OAuth authentication. The user, not realizing the implications, grants access to the attacker's application.
Token Acquisition: The attacker's malicious application receives a valid Google access token for the victim user, but this token's audience field points to the attacker's application client ID.
Token Replay: The attacker submits this token to Lunary's Google OAuth authentication endpoint. Because Lunary fails to validate the audience claim, it accepts the token as valid.
Account Takeover: Lunary authenticates the attacker as the victim user, granting full access to the victim's account, including AI/LLM logs, API keys, and project configurations.
The attack requires some user interaction (the victim must authenticate to the attacker's malicious application), but does not require any privileges on the Lunary platform itself. The fix implemented in version 1.9.35 adds proper audience validation to ensure tokens are only accepted if they were explicitly issued for Lunary's OAuth client ID. For technical details, see the security patch commit.
Detection Methods for CVE-2025-9803
Indicators of Compromise
- Authentication events where the same user account is accessed from multiple disparate IP addresses or geographic locations in a short timeframe
- Unusual OAuth token usage patterns, particularly tokens with mismatched audience claims if logging is enabled
- Account activity anomalies such as unexpected API key generation, configuration changes, or data exports
- User reports of unauthorized access or unexpected session activity
Detection Strategies
- Implement logging of OAuth token metadata including the audience claim to identify potential token confusion attacks
- Monitor authentication logs for accounts that suddenly become active from new or suspicious IP addresses
- Deploy User and Entity Behavior Analytics (UEBA) to detect anomalous account access patterns
- Review audit logs for sensitive operations following Google OAuth authentication events
Monitoring Recommendations
- Enable comprehensive authentication logging that captures OAuth token validation details
- Set up alerts for account activity from new devices or locations following OAuth authentication
- Monitor for bulk data access or API key creation that may indicate post-compromise reconnaissance
- Implement session monitoring to detect concurrent sessions from inconsistent locations
How to Mitigate CVE-2025-9803
Immediate Actions Required
- Upgrade lunary-ai/lunary to version 1.9.35 or later immediately
- Audit recent authentication logs for any suspicious OAuth-based logins
- Consider temporarily disabling Google OAuth authentication until the patch is applied if upgrade is delayed
- Notify users to review their account activity and regenerate API keys if suspicious activity is detected
- Force re-authentication for all active sessions after applying the patch
Patch Information
The vulnerability is resolved in lunary-ai/lunary version 1.9.35. The security fix adds proper validation of the 'aud' (audience) claim in Google OAuth tokens, ensuring that only tokens explicitly issued for the Lunary application are accepted during authentication. The patch can be reviewed at the GitHub commit. Additional details about the vulnerability discovery are available at the Huntr bounty listing.
Workarounds
- Disable Google OAuth integration entirely and use alternative authentication methods until the patch can be applied
- Implement network-level restrictions to limit OAuth authentication endpoints to trusted IP ranges
- Deploy a Web Application Firewall (WAF) with custom rules to inspect OAuth flows for anomalies
- Enable multi-factor authentication as an additional layer of protection for sensitive accounts
# Upgrade Lunary to the patched version
npm update lunary@1.9.35
# Alternatively, if using Docker, pull the latest image
docker pull lunary/lunary:1.9.35
# Verify the installed version after upgrade
npm list lunary
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
