CVE-2024-3502

8.1 HIGH
Published: November 14, 2024 Modified: October 15, 2025
View on NVD

Description

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74
Source: security@huntr.dev
Patch
https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94
Source: security@huntr.dev
Issue Tracking Patch Third Party Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
0.2%
39th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-201 CWE-922

Affected Vendors

lunary

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A