CVE-2024-8765
Published: 20 March 2025
Summary
CVE-2024-8765 is a high-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Lunary Lunary. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6895
Vulnerability details
In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including '/auth/' in…
more
the path. As a result, attackers can obtain and modify sensitive data and utilize other organizations' resources without proper authentication.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, lunary
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The flawed privilege check in lunary-ai/lunary allows unauthenticated attackers to exploit the public-facing web application by crafting paths containing '/auth/' to bypass authentication and access/modify sensitive data.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.