Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7.
AnalysisAI
Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthorized accounts by exploiting a race condition in the consumeNonce() function. When an admin's user-creation request fails due to a duplicate email - causing BetterAuth to reject at the validation layer - the nonce is set but never consumed, leaving a 10-second window during which any POST to /api/auth/sign-up/email will succeed regardless of the sender. No public exploit code exists and no CISA KEV listing is present; exploitation requires precise timing and the ability to observe or predict an admin's failed duplicate-email attempt, consistent with the CVSS AC:H rating.
Technical ContextAI
Lumiverse (cpe:2.3:a:prolix-oc:lumiverse:*:*:*:*:*:*:*:*) is an AI chat application that integrates BetterAuth for account management. The vulnerable component is consumeNonce(), a server-side guard on the POST /api/auth/sign-up/email endpoint. The function only checks whether a module-level (shared) nonce variable is populated and within its expiry window - it neither validates any nonce token present in the incoming HTTP request nor binds the nonce to the initiating admin's session. CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) precisely describes this root cause: the nonce is a shared mutable state that is written during an admin-initiated flow but skips consumption when BetterAuth rejects the underlying signUpEmail() call at the validation layer (e.g., a duplicate email conflict). The resulting 10-second expiry window becomes a de facto open registration slot exploitable by any concurrent network request.
RemediationAI
The primary fix is to upgrade Lumiverse to version 0.9.7, which corrects the nonce implementation as confirmed by the vendor advisory at https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7. The patch is expected to bind the nonce to the admin's session and/or validate a per-request token, eliminating the shared-state race condition. If immediate upgrade is not feasible, operators should restrict network access to the POST /api/auth/sign-up/email endpoint via reverse-proxy ACLs or firewall rules, limiting requests to trusted administrative source IPs only - note this may break legitimate self-registration workflows if any are in use. An additional compensating control is to disable open user registration entirely and route all account creation through a privileged admin-only API surface, isolating the vulnerable endpoint from untrusted callers until the patch can be applied.
Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary Jav
Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attacker
Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31982