VYPR
Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025

IDOR Vulnerability in PATCH `/v1/runs/:id/score` Endpoint in lunary-ai/lunary

CVE-2024-11137

Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in the PATCH /v1/runs/:id/score endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the runId_score in the database. The endpoint does not sufficiently validate whether the authenticated user has permission to modify the specified runId, enabling an attacker with a valid account to modify other users' runId scores by specifying different id values. This issue was fixed in version 1.6.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Lunary AI/Lunaryllm-fuzzy2 versions
    = 1.6.0+ 1 more
    • (no CPE)range: = 1.6.0
    • (no CPE)range: unspecified

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.