Skip to main content

Lumiverse CVE-2026-44451

| EUVDEUVD-2026-31979 CRITICAL
Protection Mechanism Failure (CWE-693)
2026-05-26 GitHub_M
9.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 26, 2026 - 22:02 EUVD
Analysis Generated
May 26, 2026 - 21:01 vuln.today

DescriptionGitHub Advisory

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments ('ownerDoc' + 'ument'). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node['ownerDoc'+'ument']['def'+'aultView'] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7.

AnalysisAI

Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary JavaScript in a victim's authenticated session by delivering a malicious theme pack (.lumitheme / .lumiverse-theme). The component override system's Sucrase-transpiled TSX sandbox is bypassed via string concatenation of blocked identifiers and DOM ref traversal to retrieve the real window object, defeating both static source validation and runtime global shadowing. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rgp6-55rw-5xf4) documents the exact bypass technique.

Technical ContextAI

Lumiverse (cpe:2.3:a:prolix-oc:lumiverse) implements a client-side plugin model where user-supplied TSX is transpiled with Sucrase and evaluated through new Function with a curated scope that shadows fetch, window, eval and similar globals with undefined. A regex-based static validator (validateComponentOverrideSource) attempts to reject these identifiers at parse time using word-boundary matching. The root cause maps to CWE-693 (Protection Mechanism Failure): both layers are defeated because (1) string concatenation such as 'ownerDoc'+'ument' reconstructs forbidden identifiers at runtime, evading the regex, and (2) React's useRef/useEffect are exposed in scope, so a ref attached to a rendered element exposes a live DOM node whose ownerDocument.defaultView property returns the genuine window - restoring full access to network, storage, and DOM APIs that the shadow scope was meant to block.

RemediationAI

Upgrade to Lumiverse 0.9.7, which is the vendor-released patch identified in advisory GHSA-rgp6-55rw-5xf4 at https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-rgp6-55rw-5xf4. Until the upgrade is applied, do not import .lumitheme or .lumiverse-theme files from untrusted sources and disable any existing component overrides in the Theme Editor, since a single enabled override is sufficient to trigger the payload; the trade-off is losing customization provided by trusted packs. As a stronger compensating control, restrict theme imports to packs whose source TSX has been manually reviewed for ref-based DOM traversal patterns (e.g., ownerDocument, defaultView, or any bracket-indexed string concatenation against React refs), accepting that manual review does not scale and is brittle against obfuscation.

Share

CVE-2026-44451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy