CVE-2024-9095

CVSS 3.0 Score 9.8 of 10 (critical)

Details

Published Mar 20, 2025

CWE ID 285

Summary

CVE-2024-9095 is a vulnerability affecting the lunary-ai/lunary package in version 1.4.28. The issue lies in the unsecured /bigquery API route, which allows any authenticated user to create Datastreams to Google BigQuery and export the entire database. This action can expose sensitive data, such as password hashes and secret API keys, posing risks of data breaches, credential compromise, and service disruptions. The route is protected by a configuration check, but it fails to verify user access levels and implement proper access control middleware.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Lunary

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/y3uKEG
https://www.cve.org/CVERecord?id=CVE-2024-9095
https://nvd.nist.gov/vuln/detail/CVE-2024-9095

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Know What Matters

For Customers

For Partners

CVE-2024-9095

CVSS 3.0 Score 9.8 of 10 (critical)

Details

Summary

Affected Vendors

Advisories, Assessments, and Mitigations