VYPR
High severity7.7OSV Advisory· Published Aug 18, 2025· Updated Apr 15, 2026

CVE-2025-4962

CVE-2025-4962

Description

An Insecure Direct Object Reference (IDOR) vulnerability was identified in the POST /v1/templates endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the projectId query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified projectId. The vulnerability has been addressed in version 1.9.23.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Lunary AI/LunaryOSV2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <1.9.23

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.