CVE-2024-7472 is classified under CWE-93, indicating improper neutralization of CRLF sequences, which leads to an email injection vulnerability in lunary-ai/lunary version 1.2.26. The vulnerability specifically affects the Send email verification API (/v1/users/send-verification) and the Sign up API (/auth/signup). The root cause is the failure of the extractFirstName function to properly sanitize input when alternate whitespace characters such as non-breaking spaces (\xa0) are used. This allows an unauthenticated attacker to inject arbitrary data into the headers or body of outgoing emails generated by the application. Exploiting this vulnerability can facilitate phishing attacks by manipulating email content, potentially misleading recipients into divulging sensitive information or executing malicious actions. Additionally, such injection can damage the application's brand reputation, cause compliance violations (e.g., GDPR or anti-spam laws), and lead to financial consequences due to misuse of the email system. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. Although no public exploits are known at this time, the medium CVSS score (5.3) reflects moderate impact primarily on confidentiality with no direct integrity or availability effects. The vulnerability highlights the importance of robust input validation and output encoding in email-related functionalities.

For European organizations, this vulnerability poses a risk of phishing campaigns that can compromise user credentials or sensitive data, undermining trust in digital services. The injection of malicious content into verification or signup emails can lead to widespread user deception, potentially affecting customer retention and brand integrity. Legal and compliance risks are significant in Europe due to stringent regulations such as GDPR and ePrivacy Directive, which mandate secure handling of personal data and communication. Unauthorized email usage could result in regulatory fines and damage to corporate reputation. Financial impacts may arise from incident response costs, remediation efforts, and potential fraud resulting from successful phishing attacks. Organizations relying on lunary-ai/lunary for user authentication or communication should consider this vulnerability a moderate threat that could disrupt secure user onboarding and verification processes.

Organizations should immediately review and update lunary-ai/lunary to a patched version once available. In the absence of a patch, implement strict input validation and sanitization on all user-supplied data, especially focusing on whitespace normalization to prevent bypasses using non-standard characters like \xa0. Employ output encoding techniques to neutralize CRLF sequences before including user data in email headers or bodies. Monitor outgoing emails for anomalous content that may indicate injection attempts. Implement email security controls such as SPF, DKIM, and DMARC to reduce the impact of phishing emails. Conduct user awareness training to recognize phishing attempts originating from legitimate-looking emails. Additionally, audit logs for suspicious API usage patterns and consider rate limiting or CAPTCHA challenges on the affected endpoints to reduce automated exploitation risk.