CVE-2025-5352 is a critical stored Cross-Site Scripting (XSS) vulnerability identified in the Analytics component of the lunary-ai/lunary software, affecting versions up to 1.9.23. The root cause of this vulnerability lies in the unsafe handling of the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable, which is directly injected into the Document Object Model (DOM) using React's dangerouslySetInnerHTML property without any sanitization or validation. This practice violates secure coding principles and allows an attacker who can control the environment variable—either during deployment or via server compromise—to inject arbitrary JavaScript code that executes in the browsers of all users accessing the affected application. The stored nature of this XSS means the malicious script persists and affects all users until the environment variable is corrected or sanitized. Potential consequences include complete account takeover, unauthorized data exfiltration, distribution of malware, and persistent attacks that can compromise user trust and system integrity. The vulnerability has been assigned a CVSS v3.0 score of 8.1, indicating high severity, with attack vector as network, high attack complexity, no privileges required, no user interaction needed, and impacts on confidentiality, integrity, and availability. The issue is resolved in lunary-ai/lunary version 1.9.25, where presumably proper sanitization or validation of the environment variable input is implemented to prevent script injection.

For European organizations using lunary-ai/lunary in their analytics infrastructure, this vulnerability poses a significant risk. Exploitation could lead to widespread compromise of user accounts and sensitive analytics data, potentially exposing personal data protected under GDPR regulations. The ability to execute arbitrary JavaScript in users' browsers can facilitate phishing, session hijacking, and malware distribution campaigns targeting employees or customers. Persistent XSS can undermine trust in the affected service and cause reputational damage. Additionally, if the environment variable is compromised via server breach, attackers gain a persistent foothold affecting all users, increasing the attack surface and complicating incident response. The high severity and network exploitability mean attackers can remotely exploit this without authentication or user interaction, raising the urgency for European organizations to address this vulnerability promptly to avoid regulatory penalties and operational disruptions.

European organizations should immediately upgrade lunary-ai/lunary to version 1.9.25 or later where the vulnerability is fixed. If upgrading is not immediately feasible, organizations should implement strict controls around environment variable management, ensuring that NEXT_PUBLIC_CUSTOM_SCRIPT cannot be influenced by untrusted sources. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) configured to detect and block suspicious script injections targeting the Analytics component. Conduct thorough code reviews and penetration testing focusing on client-side injection points. Additionally, implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of any injected malicious code. Monitoring and alerting for unusual environment variable changes or unexpected script execution patterns can also help detect exploitation attempts early. Finally, educate deployment and DevOps teams on secure environment variable handling and the risks of injecting unsanitized data into the DOM.