Cyber Posture

CVE-2025-9803

HighPublic PoC

Published: 25 November 2025

Published
25 November 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0009 24.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9803 is a high-severity Improper Authentication (CWE-287) vulnerability in Lunary Lunary. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Requires validation of authenticators such as Google OAuth access tokens prior to use, directly addressing the failure to verify the 'aud' field.

IA-13 Identity Providers and Authorization Servers good match
prevent

Mandates proper employment of identity providers and authorization servers like Google OAuth with secure token validation to prevent misuse of tokens issued to malicious applications.

SI-10 Information Input Validation good match
prevent

Enforces information input validation at entry points, ensuring OAuth access tokens are checked for critical claims like 'aud' to block unauthorized account access.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
attack.mitre.org →
Why these techniques?

The improper verification of the 'aud' field in Google OAuth tokens enables account takeover by allowing tokens issued to malicious applications to authenticate users, facilitating exploitation of a public-facing application, use of valid cloud accounts, and application access tokens as alternate authentication material.

NVD Description

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the…

more

token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.

Deeper analysisAI

CVE-2025-9803 affects lunary-ai/lunary version 1.9.34, an open-source application vulnerable to account takeover stemming from improper authentication in its Google OAuth integration. Specifically, the application does not verify the 'aud' (audience) field in access tokens issued by Google, which is essential for confirming that the token is intended for the target application. This flaw, tied to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization), enables token misuse and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Attackers can exploit this vulnerability remotely without privileges by leveraging access tokens issued to malicious Google applications. The scenario typically involves tricking a user into authorizing a malicious app via phishing or social engineering (reflected in the UI:R requirement), after which the attacker steals the token and submits it to lunary-ai/lunary. Successful exploitation grants full unauthorized access to the victim's account, enabling confidentiality, integrity, and availability impacts.

The vulnerability is resolved in lunary-ai/lunary version 1.9.35, as detailed in the fixing commit at https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91 and reported via Huntr advisories at https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6. Security practitioners should prioritize upgrading to the patched version and review OAuth implementations for proper audience validation.

Details

CWE(s)
CWE-287CWE-863

Affected Products

lunary
lunary
1.9.34

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Lunary.ai is an open-source LLM observability and management platform, fitting the Enterprise AI Assistants category as it provides enterprise-level tools for monitoring and managing AI/LLM deployments.

CVEs Like This One

CVE-2024-8999Same product: Lunary Lunary
CVE-2024-9095Same product: Lunary Lunary
CVE-2025-5352Same product: Lunary Lunary
CVE-2024-9099Same product: Lunary Lunary
CVE-2024-9096Same product: Lunary Lunary
CVE-2024-5386Same product: Lunary Lunary
CVE-2024-8998Same product: Lunary Lunary
CVE-2026-30863Shared CWE-287, CWE-863
CVE-2026-32173Shared CWE-287, CWE-863
CVE-2025-27138Shared CWE-287, CWE-863

References