Home > Vulnerability Database > CVE-2025-4962

Mend.io Vulnerability Database

CVE-2025-4962

Good to know:

Date: August 18, 2025

An Insecure Direct Object Reference (IDOR) vulnerability was identified in the "POST /v1/templates" endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the "projectId" query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified "projectId". The vulnerability has been addressed in version 1.9.23.

Severity Score

7.7

Related Resources (4)

Url: https://github.com/lunary-ai/lunary/commit/e977d06f18a615963ffbe07e5bdff70218c29907

Url: https://huntr.com/bounties/137a0aef-e243-49d4-832f-8e56056cba1a

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-4962

Url: https://www.mend.io/vulnerability-database/CVE-2025-4962

Severity Score

7.7

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version https://github.com/lunary-ai/lunary.git - v1.9.22

Learn More

CVSS v3.1

Base Score:	7.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-4962

Good to know:

Date: August 18, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?