6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-6087

GHSA ID

GHSA-6p2q-8qfq-wq7x

EPSS Score

0.26032%

CWE

CWE-284

Published

9/13/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-6087

CVE-2024-6087:
Lunary improper access control vulnerability

An improper access control vulnerability exists in lunary-ai/lunary prior to commit 844e8855c7a713dc7371766dba4125de4007b1cf on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-6087

GHSA ID

GHSA-6p2q-8qfq-wq7x

EPSS Score

0.26032%

CWE

CWE-284

Published

9/13/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lunary	npm	< 1.4.9	1.4.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues:

The password reset endpoint (/reset-password) in index.ts lacked validation of the JWT token's 'type' claim. This allowed any token with a valid email (including those from user invites) to trigger a password reset.
The requestPasswordReset function in utils.ts generated tokens without a 'type' identifier. While not directly vulnerable, this design allowed cross-purpose token reuse when combined with the missing type check in the reset endpoint. The patch addressed both by adding a 'type' field to tokens and enforcing type validation in the reset flow, closing the access control gap.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n improp*r ****ss *ontrol vuln*r**ility *xists in lun*ry-*i/lun*ry prior to *ommit **************************************** on t** m*in *r*n**. T** vuln*r**ility *llows *n *tt**k*r to us* t** *ut* tok*ns issu** *y t** 'invit* us*r' *un*tion*lity to

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *. T** p*sswor* r*s*t *n*point (/r*s*t-p*sswor*) in in**x.ts l**k** v*li**tion o* t** JWT tok*n's 'typ*' *l*im. T*is *llow** *ny tok*n wit* * v*li* *m*il (in*lu*in* t*os* *rom us*r invit*s) to tri***r *

6.5

Basic Information

Concerned about an active attack path?

CVE-2024-6087: Lunary improper access control vulnerability

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-6087:
Lunary improper access control vulnerability

Vulnerability Intelligence
Miggo AI