Cyber Posture

CVE-2025-9803

HighPublic PoC

Published: 25 November 2025

Published
25 November 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.

Security Summary

CVE-2025-9803 affects lunary-ai/lunary version 1.9.34, an open-source application vulnerable to account takeover stemming from improper authentication in its Google OAuth integration. Specifically, the application does not verify the 'aud' (audience) field in access tokens issued by Google, which is essential for confirming that the token is intended for the target application. This flaw, tied to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization), enables token misuse and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Attackers can exploit this vulnerability remotely without privileges by leveraging access tokens issued to malicious Google applications. The scenario typically involves tricking a user into authorizing a malicious app via phishing or social engineering (reflected in the UI:R requirement), after which the attacker steals the token and submits it to lunary-ai/lunary. Successful exploitation grants full unauthorized access to the victim's account, enabling confidentiality, integrity, and availability impacts.

The vulnerability is resolved in lunary-ai/lunary version 1.9.35, as detailed in the fixing commit at https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91 and reported via Huntr advisories at https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6. Security practitioners should prioritize upgrading to the patched version and review OAuth implementations for proper audience validation.

Details

CWE(s)
CWE-287CWE-863

Affected Products

lunary
lunary
1.9.34

AI Security Analysis

AI Category
Enterprise AI Assistants
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Lunary.ai is an open-source LLM observability and management platform, fitting the Enterprise AI Assistants category as it provides enterprise-level tools for monitoring and managing AI/LLM deployments.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
attack.mitre.org →
Why these techniques?

The improper verification of the 'aud' field in Google OAuth tokens enables account takeover by allowing tokens issued to malicious applications to authenticate users, facilitating exploitation of a public-facing application, use of valid cloud accounts, and application access tokens as alternate authentication material.

References