CVE-2025-9803 identifies a critical improper authentication vulnerability (CWE-287) in lunary-ai/lunary version 1.9.34 related to its integration with Google OAuth. The core issue is the application's failure to verify the 'aud' (audience) claim within the OAuth access token issued by Google. The 'aud' claim is a security control that ensures the token was issued specifically for the intended recipient application. By neglecting this verification, lunary-ai/lunary accepts tokens issued to other applications, including potentially malicious ones. An attacker can exploit this by obtaining a valid access token from Google for a malicious app and presenting it to lunary-ai/lunary, which erroneously accepts it as valid. This leads to unauthorized access and full account takeover of legitimate users without needing prior credentials or elevated privileges. The vulnerability has a CVSS 3.0 base score of 9.3 (critical), reflecting its network attack vector, low complexity, no privileges required, and user interaction limited to token presentation. The scope is changed because the attacker can access resources beyond their original permissions. Confidentiality and integrity are fully compromised, while availability remains unaffected. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make exploitation highly feasible. The issue is fixed in lunary-ai/lunary version 1.9.35 by implementing proper validation of the 'aud' claim in OAuth tokens, ensuring tokens are accepted only if intended for the lunary-ai application.

For European organizations using lunary-ai/lunary, especially those leveraging Google OAuth for authentication, this vulnerability poses a significant risk of unauthorized account takeover. Attackers can impersonate legitimate users, gaining access to sensitive data, internal communications, or proprietary resources managed within lunary-ai/lunary. This compromises confidentiality and integrity of organizational data and user accounts. The attack requires no prior authentication and minimal user interaction, increasing the likelihood of successful exploitation. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, face heightened regulatory and reputational risks. Additionally, compromised accounts could be leveraged for lateral movement or further attacks within the enterprise environment. The lack of availability impact means systems remain operational, potentially masking the breach and delaying detection. Given the widespread use of OAuth and cloud-based SaaS tools in Europe, the vulnerability could affect a broad range of organizations, amplifying its potential impact.

1. Immediately upgrade lunary-ai/lunary to version 1.9.35 or later, which includes the fix for proper 'aud' claim validation in OAuth tokens. 2. Conduct a thorough audit of OAuth token validation logic in all integrated applications to ensure strict verification of token claims, especially the 'aud' field. 3. Implement monitoring and alerting for anomalous login patterns or token usage that may indicate exploitation attempts. 4. Educate users about phishing and social engineering risks that could facilitate token theft or misuse. 5. Review and enforce least privilege principles for OAuth scopes and permissions granted to applications. 6. Consider deploying additional identity and access management controls such as multi-factor authentication (MFA) to reduce risk from compromised tokens. 7. Maintain an incident response plan tailored to OAuth-related account compromises to enable rapid containment and remediation. 8. Collaborate with Google OAuth support and security teams for updates or advisories related to token issuance and validation best practices.