CVE-2024-4153 Information

Description

A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user’s email and assigning them an ‘admin’ role attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.

Reference

https://huntr.com/bounties/336db0ae-fe33-44b9-ba9d-bf117e0d90c4