CVE-2025-5352 is a critical stored Cross-Site Scripting (XSS) vulnerability identified in the Analytics component of the lunary-ai/lunary software up to version 1.9.23. The root cause lies in the unsafe handling of the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable, which is injected directly into the Document Object Model (DOM) using React's dangerouslySetInnerHTML method without any sanitization or validation. This flaw allows an attacker who can influence the environment variable—either during deployment or through a server compromise—to inject arbitrary JavaScript code that executes in the browsers of all users accessing the affected application. Because the malicious script is stored persistently in the environment variable, the attack can have a lasting impact until the variable is sanitized or updated. The consequences of exploitation include complete account takeover, unauthorized data exfiltration, malware distribution, and persistent client-side attacks. The vulnerability has a CVSS v3 base score of 8.1, reflecting high severity, with network attack vector, high attack complexity, no privileges required, no user interaction needed, and impacts on confidentiality, integrity, and availability. The issue was addressed and fixed in lunary-ai/lunary version 1.9.25.

For European organizations using lunary-ai/lunary, especially those relying on its Analytics component, this vulnerability poses a significant risk. Exploitation could lead to widespread compromise of user accounts and sensitive data leakage, undermining trust and potentially violating data protection regulations such as the GDPR. The ability to execute arbitrary JavaScript in user browsers enables attackers to perform session hijacking, credential theft, and deliver malware payloads, which can escalate into broader network intrusions. Persistent XSS attacks can also facilitate long-term surveillance or manipulation of user interactions. Given the criticality of analytics data in business decision-making, the integrity and availability of this component are vital. Organizations in sectors like finance, healthcare, and government, where lunary-ai/lunary might be deployed, could face operational disruptions and reputational damage. Additionally, the lack of required authentication and user interaction lowers the barrier for exploitation, increasing the threat surface.

To mitigate this vulnerability, European organizations should immediately upgrade lunary-ai/lunary to version 1.9.25 or later, where the issue is fixed. Until the upgrade is possible, organizations should audit and sanitize the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable to ensure it contains no malicious code. Implement strict validation and sanitization routines for any environment variables or user-controllable inputs that are injected into the DOM. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct thorough security reviews of deployment pipelines to prevent unauthorized modification of environment variables. Additionally, monitor application logs and user activity for signs of exploitation or anomalous behavior. Educate development and operations teams about the risks of using dangerouslySetInnerHTML without proper sanitization. Finally, consider implementing runtime application self-protection (RASP) solutions to detect and block XSS attacks in real time.